awx icon indicating copy to clipboard operation
awx copied to clipboard

Published 20 hours ago verified publisher icon ansible

Execution Environment ignores ansible_ssh_common_args

Open berkutcloud opened this issue 2 years ago • 1 comments

Please confirm the following

  • [X] I agree to follow this project's code of conduct.
  • [X] I have checked the current issues for duplicates.
  • [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Bug Summary

Dear team.,

I'm facing the issue so that I cannot connect to legacy network equipment from AWX with the following error message:

ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]

I can connect from the execution environment using ssh args like this:

ssh [email protected] -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -o Ciphers=aes256-cbc

I've added the key ansible_ssh_common_args to the inventory of the device in AWX:

---
ansible_host: 192.168.86.240
ansible_network_os: cisco.ios.ios
ansible_become_method: enable
ansible_ssh_common_args: '-o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o Ciphers=+aes256-cbc'
...

I added a step in playbook to print the content of the var and it seems ok:

    "ansible_ssh_common_args": "-o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o Ciphers=+aes256-cbc"
}

The full execution log looks like this job_474.txt

Best

AWX version

21.2.0

Select the relevant components

  • [X] UI
  • [X] API
  • [ ] Docs
  • [X] Collection
  • [ ] CLI
  • [ ] Other

Installation method

minikube

Modifications

yes

Ansible version

2.12.5.post0

Operating system

No response

Web browser

No response

Steps to reproduce

  1. Pull the EE
  2. Try to connect to any device, which doesn't support modern KeyExchange algorithms (I used Cisco IOS running 15T release)

Expected results

$ ansible-playbook catalyst_upgrade.yml -K BECOME password:

PLAY [SW UPGRADE] *******************************************************************************************************************

TASK [infra : CREATING TEMP FOLDER] ************************************************************************************************* ok: [VTA-3560-PRD-SW-MDF-003 -> localhost]

TASK [infra : ansible.builtin.debug] ************************************************************************************************ ok: [VTA-3560-PRD-SW-MDF-003] => { "ansible_ssh_common_args": "VARIABLE IS NOT DEFINED!" }

TASK [cisco.ios.ios_device_check : COLLECTING SW VERSION AND PLATFORM TYPE] ********************************************************* ok: [VTA-3560-PRD-SW-MDF-003]

TASK [cisco.ios.ios_device_check : EXTRACTING VARS] ********************************************************************************* ok: [VTA-3560-PRD-SW-MDF-003]

TASK [cisco.ios.ios_device_check : REFORMATTING VARS] ******************************************************************************* ok: [VTA-3560-PRD-SW-MDF-003]

TASK [cisco.ios.ios_device_check : IMPORTING PER PLATFORM VARIABLES] **************************************************************** ok: [VTA-3560-PRD-SW-MDF-003]

TASK [cisco.ios.ios_device_check : COLLECTING INFO TO SAVE] ************************************************************************* ok: [VTA-3560-PRD-SW-MDF-003]

Actual results

SSH password: BECOME password[defaults to SSH password]:

PLAY [SW UPGRADE] **************************************************************

TASK [infra : CREATING TEMP FOLDER] ******************************************** changed: [VTA-3560-PRD-SW-MDF-003] -> localhost]

TASK [cisco.ios.ios_device_check : COLLECTING SW VERSION AND PLATFORM TYPE] **** fatal: [VTA-3560-PRD-SW-MDF-003]]: FAILED! => {"changed": false, "msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]"}

PLAY RECAP ********************************************************************* VTA-3560-PRD-SW-MDF-003] : ok=1 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Additional information

Execution Environment

berkutcloud avatar Jul 26 '22 22:07 berkutcloud

I am noticing this also when the ssh connection type gets set to libssh it does not honor these settings. It also does not honor changes to /etc/ssh/ssh_config.

Not a fix but a workaround is to configure:

ansible_network_cli_ssh_type: paramiko

This seems to work. I do not think it is honoring the above ssh settings either but it does seem to have more liberal defaults.

The presence of the ansible-pylibssh library leads to libssh being preferred as auto detected ssh type, when that pip package is uninstalled there is a warning that presents saying [WARNING]: ansible-pylibssh not installed, falling back to paramiko even without the above config specifically setting the ssh_type to paramiko the awx-ee image will fallback to paramiko.

With the above configuration it will use paramiko even if ansible-pylibssh is installed, auto detection does not kick in it just uses paramiko.

hfuda avatar Aug 04 '22 20:08 hfuda