Could Not Negotiate Encryption Algorithm


Date: Sept 11, 2016
Revision: 1.1


When attempting to perform an operation such as a password change or system refresh against an SSH target such as a Linux or UNIX system or device, you receive an error similar to the following:

-- Executing SSH shell command 'ChangeLoginPassword' from file 'C:\Program Files (x86)\Lieberman\Roulette\AnswerFiles\ResponseFileName.xml'
SSH connection to target 'SystemNameHere' (port 22) failed; error: 0x800403EB - [unknown] (component explanation: Could not negotiate client encryption algorithm using "aes256-cbc,3des-cbc".)
[SystemNameHere - TargetAccount] Password update for account 'TargetAccount' failed


The target SSH system and ERPM cannot negotiate an encryption algorithm. Without any additional parameters specified in the answer file used for the job, ERPM will default to using only the following encryption algorithms:

  • AES 256 CBC
  • 3DES CBC


There are two resolutions in this case:

  1. Update the SSH configuration of the target machine to support one or both of those methods. In Linux/UNIX this would be done by manipulating the /etc/ssh/sshd_config file.
  2. Update your answer file in the appropriate section to support the proper encryption method that is supported by your target system.

To update ERPM to work properly, first, identify the answer file and the correct section to update (note, this setting can be added to every command in every answer file). In the error above, the answer and the path to the answer file are explicitly called out: The answer file is called 'ResponseFileName.XML' located in 'C:\Program Files (x86)\Lieberman\Roulette\AnswerFiles'. The section being used is called 'ChangeLoginPassword'. If no path is provided, only an answer file name, the answer file is coming directly out of the database (ERPM version 5.4.0 and newer) and should be modified through the answer files editor in the ERPM console by editing the job or from under the settings menu. To support other types of encryption, the Encryption tag will need to be added to the answer file.

Add the following line to each command stanza that requires it and use the word ALL as shown or replace the word ALL with the preferred allowed method:


The Encryption parameter should be the last parameter specified. See the list (above) for the proper order of parameters. Below is a sample Command stanza:


Supported methods include:

  • ALL – AES 256 CBC, AES 192 CBC, 3DES CBC, AES 128 CBC, AES 256 CTR, AES 192 CTR, AES 128 CTR
  • CBC – AES 256 CBC, AES 192 CBC, AES 128 CBC, 3DES CBC
  • CTR – AES 256 CTR, AES 192 CTR, AES 128 CTR
  • Legacy – AES 256 CBC, 3DES CBC

If a specific value is not identified, the command will default to Legacy.

More Information:

For more information, please refer to your documentation in the admin guide. As of this writing, the most recent version of the admin guide addressing this item is found here:

Applies To:

  • Enterprise Random Password Manager (ERPM)
  • Random Password Manager (RPM)
Was this article helpful?
0 out of 0 found this helpful


Powered by Zendesk