2

I've been trying to setup Ansible to connect to some of our legacy production switches to take regular backups. I'm running into the issue that many have faced, for example here.

I've created a file ~/.ssh/config containing

Host 123.123.123.123 KexAlgorithms +diffie-hellman-group14-sha1

This hasn't worked and still throws the error when I try to connect.

I've also added lines into /etc/ssh/ssh_config with no joy.

When I try to connect manually using ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123 I get an error message

Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: ssh-rsa

Does anyone have any suggestions? After trying to set the negotiation server wide and at an adhoc level I'm no closer to getting it working.

Improve this question

1 Answer 1

Reset to default
5

The machine to which you're connecting doesn't support any secure algorithms. For key exchange, it seems to only support Diffie-Hellman group 1, which is 1024 bits in size. This provides an inadequate 80-bit security level and is believed to have been broken by major governments.

For the SSH host key algorithm, only ssh-rsa is offered, which is RSA using SHA-1 for signatures. SHA-1 is known to be insecure and collisions can be found for USD 45,000, which is in the budget of any government and many private individuals.

For security, OpenSSH has disabled these algorithms because they should no longer be used. You should upgrade these systems to a securely patched SSH server or replace them. If you need to access them in order to do so, you can do so with the following syntax (note that multiple lines are required):

Host foo.example.com KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-rsa
Improve this answer
2
  • You need separate lines in .ssh/config, but can put two (or more) -o options on (one) commandline. Commented Apr 30, 2022 at 3:31
  • Thanks, this worked and was already in place. What actually finally got this working for me was adding the ansible_connection = local in the ansible.conf file. Commented May 3, 2022 at 9:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.