ansible
Failed to connect to the host via ssh - no matching host key type found. Their offer: ssh-rsa,ssh-dss
Please confirm the following
- [x] I agree to follow this project's code of conduct.
- [x] I have checked the current issues for duplicates.
- [x] I understand that AWX is open source software provided for free and that I might not receive a timely response.
- [x] I am NOT reporting a (potential) security vulnerability. (These should be emailed to
[email protected]instead.)
Bug Summary
Unable to connect to old devices using SSHv1.
AWX version
24.6.1
Select the relevant components
- [x] UI
- [ ] UI (tech preview)
- [x] API
- [ ] Docs
- [ ] Collection
- [x] CLI
- [x] Other
Installation method
kubernetes
Modifications
no
Ansible version
2.15.6
Operating system
Rocky Linux 9.6
Web browser
Chrome
Steps to reproduce
- SSH into Linux machine with old kernel, i.e. 2.6.32-573.22.1.el6.AV1.x86_64
- You'll get an error:
Failed to connect to the host via ssh: Unable to negotiate with AVAYA_EMS_SERVER port 222: no matching host key type found. Their offer: ssh-rsa,ssh-dss - Trying to define
ansible_ssh_common_args: '-o PubkeyAcceptedKeyTypes=+ssh-dss,ssh-rsa -o HostKeyAlgorithms=+ssh-rsa'in the play results in the error:Data could not be sent to remote host \"AVAYA_EMS_SERVER\". Make sure this host can be reached over ssh: ssh_dispatch_run_fatal: Connection to IP_ADDRESS port 222: error in libcrypto\r\n". - I'm not sure if it's related but VM displays Pre-authentication banner.
Expected results
Ansible connects via SSH.
Actual results
Error: no matching host key type found. Their offer: ssh-rsa,ssh-dss.
Specifying ansible_ssh_common_args results in error in libcrypto.
Additional information
Affected code:
- name: Backup block for EMS - SSH
when: ssh222_enabled is succeeded
vars:
ansible_port: 222
snapshot_dir: /usr/local/ipcs/snapshots/
ansible_user: "{{ avaya_sbcems_login }}"
ansible_password: "{{ avaya_sbcems_password }}"
ansible_ssh_common_args: '-o PubkeyAcceptedKeyTypes=+ssh-dss,ssh-rsa -o HostKeyAlgorithms=+ssh-rsa'
block:
- name: Find the most recent ZIP snapshot file
delegate_to: localhost
shell: |
ls -t {{ snapshot_dir }}*.zip | head -n 1
register: latest_snapshot
changed_when: false
Job log in the attachment. This is a follow up to https://github.com/ansible/awx/issues/15840.
Hey @marek1712 Thanks for opening the issue. From reading through, maybe there is an issue in your setup? Perhaps it could be a missing key in known_hosts or other place.
Could you try disabling host key checking by adding this to your inventory to see if you can establish a connection without SSH?
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
Hi @oraNod. Apologies for abandoning this thread. I think it isn't an issue of key checks. I went through several pages and finally found this: https://github.com/ansible/awx/issues/15181.
After further investigation, this was caused by the crypto policies in the EE image. This used to work with older AWX versions that ran in CentOS 7 and 8, but turns out the EE images are using CentOS Stream 9 which has SHA1 disabled. I added this to our custom EE images to run update-crypto-policies and it fixed the issue.
Unfortunately I don't have a place to host my own EE, so for these specific hosts I deployed EE 21.11.0 which seems to be the last one running CentOS 8.
Hey @marek1712 no need to apologize. Thanks for sharing a link to that issue.
Edit: I've removed a suggestion that I thought might work. But it's probably not great. I think the best advice, that I can provide, is to upgrade hosts to use something stronger than SSHv1. It's pretty weak and CentOS 9 probably disabled it for a solid reason. Not sure if that is helpful but I can ask around to see if any other options are available. Cheers.