Join Log in
Score:0
Omera avatar Server

Ubuntu Key Exchange Algo

br flag
Omera

I am trying to test the connectivity to several network devices, with Ansible installed on Ubuntu 20.04.2 LTS, using ansible ad-hoc.

The problem: SSH is not working as the device's key exchange method is only ssh-RSA, the server doesn't support that. Trying to enforce ssh-RSA but I know it's not available as it wasn't sent as one of the key exchange methods on the cipher negotiation.

Ansible_output:

    (venv) omera@sandbox:~/code/ansible/play_06$ ansible all -m ping
edge_02 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.201 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1",
    "unreachable": true
}
edge_01 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.200 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1",
    "unreachable": true
}
core_01 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.202 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1",
    "unreachable": true

edge_02_debug_output:

Edge_02#

    *Jun  7 07:49:14.738: SSH0: starting SSH control process
    *Jun  7 07:49:14.738: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
    *Jun  7 07:49:14.741: SSH0: protocol version id is - SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
    *Jun  7 07:49:14.741: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
    *Jun  7 07:49:14.741: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
    *Jun  7 07:49:14.741: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
    *Jun  7 07:49:14.741: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
    *Jun  7 07:49:14.741: SSH2 0: SSH2_MSG_KEXINIT sent
    *Jun  7 07:49:14.741: SSH2 0: SSH2_MSG_KEXINIT received
    *Jun  7 07:49:14.741: SSH2 0: kex: client->server enc:aes128-ctr mac:hmac-sha1 
    *Jun  7 07:49:14.741: SSH2 0: kex: server->client enc:aes128-ctr mac:hmac-sha1 
    *Jun  7 07:49:14.741: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

my concern is that is it possible to set RSA as the key exchange method on ubuntu (ansible is using sshpass)?

ii  sshpass  1.06-1   amd64  Non-interactive ssh password authentication
892
1 + 3
ssh
rsa
Michael Hampton avatar
cz flag
Michael Hampton
What sort of device is this? Have you updated its firmware?
0
Reply
Omera avatar
br flag
Omera
It's Cisco IOU; the image: "unix:/opt/gns3/images/IOU/i86bi-linux-l3-adventerprisek9-15.5.2T.bin"
0
Reply
Omera avatar
br flag
Omera
Found the solution on this [post](https://unix.stackexchange.com/questions/274274/specifying-ssh-kexalgorithms-works-at-cli-but-not-via-ssh-config)
0
Reply
Score:1
avatar Server
lr flag
Barnabas Busa

On default ansible uses OpenSSH, which is a bit picky with older IOS versions. You have to enable the Diffie–Hellman key exchange and some older ciphers in ~/.ssh/config.

KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

Alternatively, you might try paramiko for the transport.

[defaults]
inventory = /root/hosts
host_key_checking=False
timeout = 30
transport = paramiko

While these instructions are generally true for IOS, I'm fairly certain that you are facing a similar issue on IOU device too.

Source

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.