Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1] #1133

Open
abdulet opened this issue Nov 12, 2024 · 1 comment
Open

ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1] #1133

abdulet opened this issue Nov 12, 2024 · 1 comment

Comments

@abdulet
Copy link

abdulet commented Nov 12, 2024
edited
Loading

SUMMARY

Can't connect to devices which only support diffie-hellman-group1-sha1.
When running a command into these devices I get the error:
{"msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]"}

I tried many different options to solve this like:

  • add settings into .ssh/config (Works for ssh from the system but not from ansible)
  • add different ssh variables into ansible gloup_vars file: (ansible_ssh_extra_args: '-o KexAlgorithms="+diffie-hellman-group1-sha1"', ansible_ssh_common_args: '-o KexAlgorithms=+diffie-hellman-group1-sha1', ansible_ssh_args: '-o KexAlgorithms=+diffie-hellman-group1-sha1')
  • added as an argument into ansible-playbook: --ssh-extra-args "-o KexAlgorithms=+diffie-hellman-group1-sha1"

None of the above options worked, the playbook still fails with the same error message

ISSUE TYPE
  • Bug Report
COMPONENT NAME

cisco.ios.ios_command

ANSIBLE VERSION
ansible [core 2.16.11]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/SYNLAB/dcapa_admin/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/SYNLAB/dcapa_admin/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.12 (main, Sep 11 2024, 15:47:36) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.ios  5.3.0
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/inventory/netbox.yaml']
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = /usr/bin/python3
INVENTORY_ENABLED(/etc/ansible/ansible.cfg) = ['host_list', 'netbox', 'yaml', 'constructed']
OS / ENVIRONMENT
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:28 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x01B00000

ROM: Bootstrap program is Alpha board boot loader
BOOTLDR: C2960S Boot Loader (C2960S-HBOOT-M) Version 12.2(55r)SE, RELEASE SOFTWARE (fc1)

DEVICE_NAME uptime is xx years, xx weeks, x days, xx hours, xx minutes
System returned to ROM by power-on
System restarted at 09:51:09 GMT+1 Wed Dec 18 2013
System image file is "flash:/c2960s-universalk9-mz.122-55.SE7/c2960s-universalk9-mz.122-55.SE7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

cisco WS-C2960S-24TS-L (PowerPC) processor (revision H0) with 131072K bytes of memory.
Processor board ID FOC1712W0QY
Last reset from power-on
6 Virtual Ethernet interfaces
1 FastEthernet interface
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 08:CC:68:C1:BD:80
Motherboard assembly number     : 73-11910-09
Power supply part number        : 341-0328-02
Motherboard serial number       : FOC17114336
Power supply serial number      : DCA1706M83C
Model revision number           : H0
Motherboard revision number     : A0
Model number                    : WS-C2960S-24TS-L
Daughterboard assembly number   : 73-11933-04
Daughterboard serial number     : FOC17114GRE
System serial number            : FOC1712W0QY
Top Assembly Part Number        : 800-30954-04
Top Assembly Revision Number    : A0
Version ID                      : V04
CLEI Code Number                : COMGG00ARD
Daughterboard revision number   : A0
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C2960S-24TS-L   12.2(55)SE7           C2960S-UNIVERSALK9-M


Configuration register is 0xF
STEPS TO REPRODUCE

Create a backup playbook and try to execute it.

---
  - name: Network Backup
    connection: ansible.netcommon.network_cli
    hosts: brz-veam-02
    gather_facts: false

    tasks:
       - name: Get configuration
         become: true
         become_method: enable
         cisco.ios.ios_command:
           commands: show running-config
         register: cli_output
EXPECTED RESULTS

The config output into cli_output variable

ACTUAL RESULTS
ansible-playbook [core 2.16.11]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/semaphore/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/semaphore/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.10.12 (main, Sep 11 2024, 15:47:36) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Loading collection ansible.builtin from
redirecting (type: inventory) ansible.builtin.netbox to netbox.netbox.nb_inventory
Loading collection netbox.netbox from /home/semaphore/.ansible/collections/ansible_collections/netbox/netbox
host_list declined parsing /home/XXX/netbox.yaml as it did not pass its verify_file() method
...
...
...
PLAYBOOK: aa.yaml ****************************************************************************************************************************************************************************
Positional arguments: ../aa.yaml
verbosity: 4
remote_user: ansible
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/home/XXX/netbox.yaml',)
extra_vars: ('@/home/XXX/extra_vars.yaml',)
forks: 5
1 plays in ../aa.yaml

PLAY [Network Backup] ************************************************************************************************************************************************************************
redirecting (type: action) cisco.ios.ios_command to cisco.ios.ios
Loading collection ansible.netcommon from /usr/lib/python3/dist-packages/ansible_collections/ansible/netcommon

TASK [Get configuration] *********************************************************************************************************************************************************************
task path: /home/XXX/aa.yaml:8
Loading collection ansible.utils from /usr/lib/python3/dist-packages/ansible_collections/ansible/utils
redirecting (type: terminal) ansible.builtin.ios to cisco.ios.ios
redirecting (type: cliconf) ansible.builtin.ios to cisco.ios.ios
redirecting (type: become) ansible.builtin.enable to ansible.netcommon.enable
redirecting (type: action) cisco.ios.ios_command to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_command to cisco.ios.ios
<DEVICE_IP> attempting to start connection
<DEVICE_IP> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<DEVICE_IP> local domain socket does not exist, starting it
<DEVICE_IP> control socket path is /home/semaphore/.ansible/pc/0f14f0d6e0
<DEVICE_IP> Loading collection ansible.builtin from
<DEVICE_IP> Loading collection ansible.netcommon from /usr/lib/python3/dist-packages/ansible_collections/ansible/netcommon
<DEVICE_IP> Loading collection ansible.utils from /usr/lib/python3/dist-packages/ansible_collections/ansible/utils
<DEVICE_IP> redirecting (type: terminal) ansible.builtin.ios to cisco.ios.ios
<DEVICE_IP> Loading collection cisco.ios from /usr/lib/python3/dist-packages/ansible_collections/cisco/ios
<DEVICE_IP> redirecting (type: cliconf) ansible.builtin.ios to cisco.ios.ios
<DEVICE_IP> local domain socket listeners started successfully
<DEVICE_IP> loaded cliconf plugin ansible_collections.cisco.ios.plugins.cliconf.ios from path /usr/lib/python3/dist-packages/ansible_collections/cisco/ios/plugins/cliconf/ios.py for network_os ios
<DEVICE_IP> ssh type is set to auto
<DEVICE_IP> autodetecting ssh_type
<DEVICE_IP> ssh type is now set to libssh
<DEVICE_IP> Loading collection ansible.builtin from
<DEVICE_IP> local domain socket path is /home/semaphore/.ansible/pc/0f14f0d6e0
redirecting (type: action) cisco.ios.ios_command to cisco.ios.ios
<DEVICE_IP> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<DEVICE_IP> ANSIBLE_NETWORK_IMPORT_MODULES: found cisco.ios.ios_command  at /usr/lib/python3/dist-packages/ansible_collections/cisco/ios/plugins/modules/ios_command.py
<DEVICE_IP> ANSIBLE_NETWORK_IMPORT_MODULES: running cisco.ios.ios_command
<DEVICE_IP> ANSIBLE_NETWORK_IMPORT_MODULES: complete
The full traceback is:
  File "/usr/lib/python3/dist-packages/ansible_collections/cisco/ios/plugins/module_utils/network/ios/ios.py", line 60, in get_capabilities
    capabilities = Connection(module._socket_path).get_capabilities()
  File "/usr/lib/python3/dist-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [DEVICE_NAME]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "commands": [
                "show running-config"
            ],
            "interval": 1,
            "match": "all",
            "retries": 9,
            "wait_for": null
        }
    },
    "msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]"
}

PLAY RECAP ***********************************************************************************************************************************************************************************
DEVICE_NAME                : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
@itslychee
Copy link

I'm having a similar issue and the only way to fix it was setting values in .ssh/config which I really do not prefer for reproducibility reasons, and it seems like the module is ignoring anything I set in all.vars (inventory.yml) but I'm very new to ansible so I'm unsure if this is not an issue with me or not

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abdulet @itslychee