[SOLVED] ansible not connecting to remote devices through ansible-pylibssh

Issue

I have recently got an M2 powered macbook pro, tried installing ansible with it's dependencies from pypi. After a lot of failed attempts I have found href="https://github.com/ansible/pylibssh/issues/207" rel="nofollow noreferrer">this post git hub that helped installing the ansible-pylibssh. My problem is the script that I am running keeps failed (cannot ssh to the device), because the device is using old ciphers and the ones shared with ansible are depreciated ones.

The error:

    The full traceback is:
  File "/Users/notomera/.pyenv/versions/3.10.7/lib/python3.10/site-packages/ansible_collections/cisco/ios/plugins/module_utils/network/ios/ios.py", line 94, in get_capabilities
    capabilities = Connection(module._socket_path).get_capabilities()
  File "/Users/notomera/.pyenv/versions/3.10.7/lib/python3.10/site-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [cisco1.example.com]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "commands": [
                "show clock"
            ],
            "interval": 1,
            "match": "all",
            "provider": null,
            "retries": 10,
            "wait_for": null
        }
    },
    "msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]"
}
The full traceback is:
  File "/Users/notomera/.pyenv/versions/3.10.7/lib/python3.10/site-packages/ansible_collections/cisco/ios/plugins/module_utils/network/ios/ios.py", line 94, in get_capabilities
    capabilities = Connection(module._socket_path).get_capabilities()
  File "/Users/notomera/.pyenv/versions/3.10.7/lib/python3.10/site-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [cisco2.example.com]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "commands": [
                "show clock"
            ],
            "interval": 1,
            "match": "all",
            "provider": null,
            "retries": 10,
            "wait_for": null
        }
    },
    "msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]"
}

Plus I have added this cipher to ~/.ssh/config but it still not working.

Host cisco1.example.com
    User test
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
    KexAlgorithms +diffie-hellman-group14-sha1
Host cisco2.example.com
    User test
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
    KexAlgorithms +diffie-hellman-group14-sha1

Can you ssh to the device ? Yes.

❯ ssh -v -i ~/.ssh/ansible-example cisco2.example.com
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/notomera/.ssh/config
debug1: /Users/notomera/.ssh/config line 12: Applying options for cisco2.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to cisco2.example.com port 22.
debug1: Connection established.
debug1: identity file /Users/notomera/.ssh/ansible-example type -1
debug1: identity file /Users/notomera/.ssh/ansible-example-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: compat_banner: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to cisco2.example.com:22 as 'test'
debug1: load_hostkeys: fopen /Users/notomera/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:iil00/s3WhfFe3WM7+kxyzMOtvtTFlDAEAOzU3hfk1I
debug1: load_hostkeys: fopen /Users/username/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'cisco2.example.com' is known and matches the RSA host key.
debug1: Found key in /Users/username/.ssh/known_hosts:2
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/username/.ssh/ansible-example  explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received

UPDATE: I have managed to get a different error message, it's about the hashing, but it seems that Ansible is ignoring the config for use PubkeyAcceptedAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa. The error message:

fatal: [cisco1.example.com]: FAILED! => {"changed": false, "msg": "ssh connection failed: ssh connect failed: kex error : no match for method server host key algo: server [ssh-rsa], client [rsa-sha2-256]"}

~/.ssh/config same as before, with only 1 line changed.

KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Solution

I have managed to resolve the issue. The link that I've shared in the question section has the answer on how to install ansible-pylibssh on ARM processors. Comes the config file ~/.ssh/config I had to remove any + sign prefixing any algo. So the config would like this.

User test
PubkeyAcceptedAlgorithms ssh-rsa
HostkeyAlgorithms ssh-rsa
KexAlgorithms diffie-hellman-group14-sha1

It worked like a charm.

Answered By - notomera

Answer Checked By - Candace Johnson (WPSolving Volunteer)