ansible.netcommon
ansible.netcommon copied to clipboard
ansible-collections
ansible.netcommon.network_cli doesn't consider ssh arguments for ciphers
SUMMARY
we want to use ansible.netcommon.network_cli (which is the recommended method over paramiko) but the old devices are only having old ciphers and unable to use it with ansible.netcommon.network_cli
"msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]"
ISSUE TYPE
- Bug Report
COMPONENT NAME
ansible.netcommon.network_cli
ANSIBLE VERSION
$ ansible --version
ansible [core 2.11.1]
config file = /home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg
configured module search path = ['/home/gmadappa/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/gmadappa/pyvirt/ansible210/lib64/python3.10/site-packages/ansible
ansible collection location = /home/gmadappa/ansible/bau-ansible/nw-automation/collections
executable location = /home/gmadappa/pyvirt/ansible210/bin/ansible
python version = 3.10.4 (main, Mar 25 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)]
jinja version = 3.1.1
libyaml = True
COLLECTION VERSION
$ ansible-galaxy collection list
# /home/gmadappa/ansible/bau-ansible/nw-automation/collections/ansible_collections
Collection Version
----------------- -------
ansible.netcommon 3.0.0
ansible.utils 2.6.1
cisco.asa 3.0.0
CONFIGURATION
$ ansible-config dump --only-changed
COLLECTIONS_PATHS(/home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg) = ['/home/gmadapp>
DEFAULT_HOST_LIST(/home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg) = ['/home/gmadapp>
DEFAULT_ROLES_PATH(/home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg) = ['/home/gmadap>
DEFAULT_TIMEOUT(/home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg) = 5
HOST_KEY_CHECKING(/home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg) = False
OS / ENVIRONMENT
$ cat /etc/fedora-release
Fedora release 35 (Thirty Five)
$ python -V
Python 3.10.4
Target Device: Cisco ASA (v9.8)
STEPS TO REPRODUCE
---
# Test Ansible version 2.11.1
- name: Network Connection Test
hosts: asa #localhost #"{{ nw_device }}"
gather_facts: no
tasks:
- name: Show the ASA version
cisco.asa.asa_command:
commands:
- show version
register: asa_version
ansible.cfg
[defaults]
#inventory file location
inventory = inventory
host_key_checking = false
timeout = 5
roles_path = ./roles
COLLECTIONS_PATHS = ./collections
[persistent_connection]
ssh_type = libssh
inventory
[local]
localhost ansible_connection=local
[asa]
ciscoasa ansible_host=192.168.57.121
[asa:vars]
ansible_user=adminasa
ansible_ssh_pass=password
ansible_become=true
ansible_become_method=ansible.netcommon.enable
ansible_become_pass=password
ansible_connection=ansible.netcommon.network_cli
ansible_network_os=cisco.asa.asa
#ansible_python_interpreter=python
ansible_ssh_common_args=' -oKexAlgorithms=+diffie-hellman-group1-sha1 '
ansible_ssh_extra_args=' -oKexAlgorithms=+diffie-hellman-group1-sha1 '
EXPECTED RESULTS
Ansible is able to connect to the device and execute the commands.
ACTUAL RESULTS
$ansible-playbook 99_network-test.yaml -vvv
ansible-playbook [core 2.11.1]
config file = /home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg
configured module search path = ['/home/gmadappa/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/gmadappa/pyvirt/ansible210/lib64/python3.10/site-packages/ansible
ansible collection location = /home/gmadappa/ansible/bau-ansible/nw-automation/collections
executable location = /home/gmadappa/pyvirt/ansible210/bin/ansible-playbook
python version = 3.10.4 (main, Mar 25 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)]
jinja version = 3.1.1
libyaml = True
Using /home/gmadappa/ansible/bau-ansible/nw-automation/ansible.cfg as config file
host_list declined parsing /home/gmadappa/ansible/bau-ansible/nw-automation/inventory as it did not pass its verify_file() method
script declined parsing /home/gmadappa/ansible/bau-ansible/nw-automation/inventory as it did not pass its verify_file() method
auto declined parsing /home/gmadappa/ansible/bau-ansible/nw-automation/inventory as it did not pass its verify_file() method
Parsed /home/gmadappa/ansible/bau-ansible/nw-automation/inventory inventory source with ini plugin
redirecting (type: action) cisco.asa.asa_command to cisco.asa.asa
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: 99_network-test.yaml *************************************************************************
1 plays in 99_network-test.yaml
PLAY [Network Connection Test] *************************************************************************
META: ran handlers
redirecting (type: action) cisco.asa.asa_command to cisco.asa.asa
TASK [Show the ASA version] ****************************************************************************
task path: /home/gmadappa/ansible/bau-ansible/nw-automation/99_network-test.yaml:13
redirecting (type: action) cisco.asa.asa_command to cisco.asa.asa
redirecting (type: action) cisco.asa.asa_command to cisco.asa.asa
The full traceback is:
File "/home/gmadappa/ansible/bau-ansible/nw-automation/collections/ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa.py", line 119, in get_capabilities
capabilities = Connection(module._socket_path).get_capabilities()
File "/home/gmadappa/pyvirt/ansible210/lib64/python3.10/site-packages/ansible/module_utils/connection.py", line 195, in __rpc__
raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [ciscoasa]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"authorize": null,
"commands": [
"show version"
],
"context": null,
"interval": 1,
"match": "all",
"passwords": null,
"provider": null,
"retries": 10,
"wait_for": null
}
},
"msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group1-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]"
}
PLAY RECAP *********************************************************************************************
ciscoasa : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
I have installed and switched to paramkio as follows and its working
[persistent_connection]
#ssh_type = libssh
ssh_type = auto
Any idea why libssh is not able to handle this ?
@ganeshrn My apologies for tagging you here.
I was referring to your article New LibSSH Connection Plugin for Ansible Network Replaces Paramiko, Adds FIPS Mode Enablement and noticed this is not really working in my case.
Do we have any other references or guidance on this ?
Thank in advance
I think you need to try add in /etc/ssh/ssh_config this: #Legacy changes KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
and run: ssh-keygen -A
I had done something like this in the past on my Ansible control node for support of older IOS devices
- name: add 'KexAlgorithms +diffie-hellman-group1-sha1' to /etc/ssh/ssh_config (for Cisco ssh support)
blockinfile:
path: /etc/ssh/ssh_config
marker: "# >> {mark} ANSIBLE MANAGED BLOCK - Older Cisco IOS support SHA-1"
insertafter: 'Host \*'
block: |
{{ item }}
with_items:
- ' KexAlgorithms +diffie-hellman-group1-sha1'
@epicanthal and @sprootik
Thank you for that. Yes, but with libssh it didn't work.
I am having the same issue with libssh not taking the cipher options. It also doesn't seem to be allowing paramiko to be used with the ios module.
Is there any work around to this?
I think the best solution would be to fully support ansible_ssh_common_args. Currently, it can be used to define a proxy, but no other options. It is unclear to me why that restriction exists.
I met the same issue for force10 networks, is there any progress?
I've tried to add var: ansible_libssh_config_file, but it doesn't work. Seems that another pr: https://github.com/ansible/pylibssh/pull/479 haven't been merged.
using + to append algorithms/ciphers in ssh config files doesn't work either, related or should I open a separate issue for it?
