net::ssh could not settle on host_key algorithm -- needs dh-sha256

[s1eelra1]

Hi I've recently got oxidized working and providing backups of devices, however, with the latest device installed in production it has the dh-group14-sha256 enabled. ssh on the host works fine to the device.

Unfortunately when I added it to oxidized, it is giving me an error in the logs: raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on kex algorithm

Researching it looks like this is related to the version of net::ssh. I have tried to just test if I can force oxidized 0.28... to use the newer version 6.1 of net::ssh. But I've had no luck.

I've found a few issue references: could not settle on host_key algorithm #686 Support strong SSH KexAlgorithms/MACs #733 forcing oxidized to use the latest version of net-ssh. #2043

So is there a method to force oxidized to load with the newer version of net:ssh. Or is there some flag that I need to use in the config to help with that?

oxidized (0.28.0, 0.26.3) net-ssh (6.1.0, 5.2.0)

[mweaver78]

Did you ever find a resolution for this?

[yvesboudreau]

I have same issue, any update?

[mortzu]

https://github.com/ytti/oxidized/issues/2432#issuecomment-995067799

[FlorianHeigl]

can verifiy same issue with Mellanox Onyx 3.9.3220 Using docker image oxidized/oxidized:latest

i had found no good workaround (*) and had to settle for no ssh server security strict temporarily.

(*) maybe I am just too blind

[Bierchermuesli]

i had found no good workaround (*) and had to settle for no ssh server security strict temporarily. where?

[FlorianHeigl]

@Bierchermuesli in the switch's config. you can find the info for the security related settings in the Mellanox/Nvidia docs. I don't have the title, but iirc there was a security hardening guide for Onyx or MLNX-OS.

[maavcrusoe]

Hi, I have the same problem with my new Huawei (S5731-H24P4XC) I've tried to update my debian and ruby and no news... Then I've tried to run a simple ruby script with new gem net-ssh 7.0.1 (gem install net-ssh) installed and yes it works

Finally update to the latest oxidized version

1. gem install oxidized
2. cd /usr/local/rvm/gems/ruby-2.6.6/gems
3. mv net-ssh-5.2.0/ OLD-net-ssh-5.2.0
4. mv net-ssh-7.0.1/ net-ssh-5.2.0 and then start oxidize again wait few minutes to capture all data and then make a API call http://x.x.x.x:8383/api/v0/oxidized/config/< switchname > and retreive me all data :)

[Bierchermuesli]

@maavcrusoe your workaround might works but its not so nice by renaming the folders... (future updates or other depencies relies on 5.2? Also: wit 7.01 you might have issues with older devices with old cryptos. (needs append_all_supported_algorithms: true statement

There is a open pull request for 7.0.0 you can use: https://github.com/ytti/oxidized/pull/2570 This works for me well.

[maavcrusoe]

Hi @Bierchermuesli I know was only for test, I spend some hours more to fix better that's my working solution:

1. I've reinstalled net-ssh -v 5.2.0 and -v 7.0.1 (not beta)
2. reinstalled oxidized -v 0.28
3. upgrade ruby because on debian 10 can't intall ruby gem net-ssh 7 or I can't (https://www.howtoforge.com/how-to-install-ruby-on-rails-on-debian-10/)
4. changed on this file nano /usr/local/rvm/gems/ruby-2.6.6/gems/oxidized-0.28.0/oxidized.gemspec s.add_runtime_dependency 'net-ssh', '~> 5 to s.add_runtime_dependency 'net-ssh', '~> 7
5. on this other file nano /usr/local/rvm/gems/ruby-2.6.6/specifications/oxidized-0.28.0.gemspec s.add_runtime_dependency(%q<net-ssh>.freeze, ["~> 5"]) to s.add_runtime_dependency(%q<net-ssh>.freeze, ["~> 7"])
6. and finally see on debug log form oxidized when asking to my new swtich SSH-2.0-Ruby/Net::SSH_7.0.1 x86_64-linux'
7. on the old switches oxidized stablish NET::SSH_5.2 and works well

hope it helps someone 😀

[YordiDR-LS]

can verifiy same issue with Mellanox Onyx 3.9.3220 Using docker image oxidized/oxidized:latest i had found no good workaround () and had to settle for no ssh server security strict temporarily. () maybe I am just too blind

Hi @FlorianHeigl, I've got the login working on Mellanox Onyx 3.10 with the steps above from @maavcrusoe in combination with keyboard-interactive auth method (disabling strict security is not needed then).

However i can't get responses (i see channel data coming back but it's followed by a NilClass exception). Sorry for going off topic here but you seem to be the only clue online to get it to work... How did you get it to work? Any special config/template (i used MLNX-OS)?

[AxisNL]

can verifiy same issue with Mellanox Onyx 3.9.3220 Using docker image oxidized/oxidized:latest i had found no good workaround () and had to settle for no ssh server security strict temporarily. () maybe I am just too blind

Hi @FlorianHeigl, I've got the login working on Mellanox Onyx 3.10 with the steps above from @maavcrusoe in combination with keyboard-interactive auth method (disabling strict security is not needed then).

However i can't get responses (i see channel data coming back but it's followed by a NilClass exception). Sorry for going off topic here but you seem to be the only clue online to get it to work... How did you get it to work? Any special config/template (i used MLNX-OS)?

I happened to stumble on this thread, I have oxidized pulling configs from my Mellanox Onyx 3.9.2110 switches with the default net-ssh 5.2 and rsa key auth, did not change anything..

I, [2022-08-05T09:55:17.775040 #1986541]  INFO -- net.ssh.transport.algorithms[244]: got KEXINIT from server
I, [2022-08-05T09:55:17.775139 #1986541]  INFO -- net.ssh.transport.algorithms[244]: negotiating algorithms
D, [2022-08-05T09:55:17.775212 #1986541] DEBUG -- net.ssh.transport.algorithms[244]: negotiated:
* kex: diffie-hellman-group14-sha1
* host_key: ssh-rsa
* encryption_server: aes256-ctr
* encryption_client: aes256-ctr
* hmac_client: hmac-sha2-512
* hmac_server: hmac-sha2-512
* compression_client: none
* compression_server: none
* language_client: 
* language_server: 
D, [2022-08-05T09:55:17.775232 #1986541] DEBUG -- net.ssh.transport.algorithms[244]: exchanging keys

[FlorianHeigl]

Hi @YordiDR-LS - I'll try to check again. I have 3 different envs with such switches that's why maybe I was more successful, but I also forgot the details once it was working. My tl;dr would be that during setup I followed some security guide (NIST?) and then had to pedal back on config settings until it worked.

Below are the config snippets that seem relevant (sorry, I can't sanitize everything in reasonable time)

---

/etc/oxidized/config

---
username: backback
password: abc 
resolve_dns: false
interval: 3600
use_syslog: false
debug: false
threads: 30
# as per issue #112
timeout: 60
retries: 3


[...]

input:
  default: ssh, telnet
  debug: false
  ssh:
    secure: false
models:
   mlnxos:
     username: backup
     password: XXX
     vars:
       auth_methods:
       - keyboard-interactive

model_map:
  MLNX-OS: mlnxos

/etc/oxidized/router.db

sw1:192.168.12.34.:mlnxos:backup:PASS

ansible/mellanox/roles/mlnx_baseconf/tasks/main.yml

- name: security basics
  onyx_config:
      lines: 
       - banner login-remote "private system no unauthorized access"
       - ssh server min-version 2
       #- ssh server security strict
       - no ssh server tcp-forwarding enable
       - web https ssl ciphers TLS1.2
       - no web http enable
       - ldap ssl mode start-tls
       # disable password ageing
       - password age expiration 0
[...]

ansible/roles/mlnx_user/tasks/main.yml

- name: Setup RO user on Mellanox Switch
  tags: user
  onyx_username:
      username: backup
      capability: monitor
      full_name: "Switch-backup-automation"
      # das muss in handler, module ist nicht gut
      #password: "{{ oxidized_pw }}"
      #encrypted_password: False
  no_log: yes

as you can see i had no choice but to remove the ssh server security strict on this pair of switches. Those came HPE branded and run HPE firmware. I think the ones with the newer, stock mellanox onyx behave slightly different in a few aspects. the 3rd one I got has MLNX-OS (iow: it is old) and had no issues.

Let me throw in that generally it was a bit saddening to turn back security for no good reason at all, but in these cases I installed and run oxidized (dockerized) as a best practice thing for people who would not have any backups otherwise and I had to make some (bad, but smaller) tradeoffs between security and getting the whole implementation blocked by courtesy of negative intertia.

[FlorianHeigl]

@AxisNL I suspect it could be working out of the box due to your client OS, but no deeper proof for it...

[angely-dev]

Same problem on my Huawei S5732 which uses diffie-hellman-group-exchange-sha256 KEX algorithm.

[fixed77]

i added in lib/oxidized/input/ssh.rb file in make_ssh_opts function:

130c130,131
<         port:                       (vars(:ssh_port) || 22).to_i
---
>         port:                       (vars(:ssh_port) || 22).to_i,
>         append_all_supported_algorithms: true

to solve this problem

[chrisch80]

@fixed77: You only added this line and now better ciphers are working with old net-ssh version? For me this is not working.

[sid3windr]

Running into this same issue as well with my hardened SSH configurations. Is there any reason why net-ssh can't be bumped to 7?

[mortzu]

as can be seen in https://github.com/ytti/oxidized/blob/master/oxidized.gemspec#L27 net-ssh is already on version 7

[sid3windr]

I see that on your URL, but it's not in the gem I can install on Debian Stable (0.28.0) due to Ruby 3 requirement.