oxidized icon indicating copy to clipboard operation
oxidized copied to clipboard

Published 20 hours ago verified publisher icon ytti

Oxidized ssh issue

Open aravaschio opened this issue 1 year ago • 4 comments

hi everyone.

I am trying to log into a Cisco router with oxidized using public key authentication. Since the router only supports old ssh algorithms, in order to connect via CLI, I must add the following option to the /.ssh/config file: "PubkeyAcceptedAlgorithms +ssh-rsa"

Is there a way to do the same in oxidized? I've tried https://github.com/ytti/oxidized/blob/master/docs/Configuration.md#ssh-enabling-legacy-algorithms with no luck.

Thanks.

aravaschio avatar Nov 11 '23 15:11 aravaschio

Hello! Please show how your file was configured, showing the "Source" section, including the "vars_map" with the options ssh_kex ssh_host_key ssh_hmac ssh_encryption

Luanpablo100 avatar Nov 23 '23 13:11 Luanpablo100

Hi Luanpablo100! Really sorry for not responding before.

Here's my config file:

resolve_dns: true interval: 86400 log: "/home/oxidized/.config/oxidized/logs/log" use_syslog: false debug: true threads: 30 use_max_threads: false timeout: 20 retries: 2 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ rest: 127.0.0.1:8888 next_adds_job: false vars: remove_secret: true ssh_keys: "/home/oxidized/.ssh/id_rsa" groups: cisco-iosxr: username: cisco vars: auth_methods: [ "publickey" ] retries: 2 pid: "/home/oxidized/.config/oxidized/pid" crash: directory: "/home/oxidized/.config/oxidized/crashes" hostnames: false stats: history_size: 200 input: default: ssh, telnet debug: true ssh: secure: false ftp: passive: true utf8_encoded: true output: default: git git: debug: true single_repo: true user: oxidized email: [email protected] repo: /home/oxidized/configs.git source: default: csv csv: file: "/home/oxidized/.config/oxidized/router.db" delimiter: !ruby/regexp /:/ map: name: 0 ip: 1 model: 2 group: 3 ssh_kex: 4 ssh_host_key: 5 ssh_hmac: 5 ssh_encryption: 6 gpg: false model_map: cisco-iosxr: iosxr

And here's my router.db file:

router1.test.com:10.10.10.1:iosxr:cisco-iosxr:diffie-hellman-group-exchange-sha256:diffie-hellman-group14-sha1:hmac-sha2-256:aes128-ctr

This is what the log returns:

D, [2023-12-21T02:03:40.552819 #499830] DEBUG -- : AUTH METHODS::["publickey"] D, [2023-12-21T02:03:40.554754 #499830] DEBUG -- net.ssh.transport.session[654]: establishing connection to 10.10.10.1:22 D, [2023-12-21T02:03:40.559969 #499830] DEBUG -- net.ssh.transport.session[654]: connection established I, [2023-12-21T02:03:40.560080 #499830] INFO -- net.ssh.transport.server_version[668]: negotiating protocol version D, [2023-12-21T02:03:40.560128 #499830] DEBUG -- net.ssh.transport.server_version[668]: local is SSH-2.0-Ruby/Net::SSH_7.2.0 x86_64-linux-gnu' D, [2023-12-21T02:03:40.736240 #499830] DEBUG -- net.ssh.transport.server_version[668]: remote is SSH-2.0-Cisco-2.0' I, [2023-12-21T02:03:40.739271 #499830] INFO -- net.ssh.transport.algorithms[67c]: sending KEXINIT D, [2023-12-21T02:03:40.739626 #499830] DEBUG -- socket[690]: queueing packet nr 0 type 20 len 1436 D, [2023-12-21T02:03:40.739751 #499830] DEBUG -- socket[690]: sent 1440 bytes D, [2023-12-21T02:03:40.740400 #499830] DEBUG -- socket[690]: read 432 bytes D, [2023-12-21T02:03:40.740523 #499830] DEBUG -- socket[690]: received packet nr 0 type 20 len 428 I, [2023-12-21T02:03:40.740605 #499830] INFO -- net.ssh.transport.algorithms[67c]: got KEXINIT from server I, [2023-12-21T02:03:40.740784 #499830] INFO -- net.ssh.transport.algorithms[67c]: negotiating algorithms D, [2023-12-21T02:03:40.740903 #499830] DEBUG -- net.ssh.transport.algorithms[67c]: negotiated:

  • kex: ecdh-sha2-nistp521
  • host_key: ssh-rsa
  • encryption_server: aes256-ctr
  • encryption_client: aes256-ctr
  • hmac_client: hmac-sha2-512
  • hmac_server: hmac-sha2-512
  • compression_client: none
  • compression_server: none
  • language_client:
  • language_server: D, [2023-12-21T02:03:40.740969 #499830] DEBUG -- net.ssh.transport.algorithms[67c]: exchanging keys D, [2023-12-21T02:03:40.741620 #499830] DEBUG -- socket[690]: queueing packet nr 1 type 30 len 148 D, [2023-12-21T02:03:40.741687 #499830] DEBUG -- socket[690]: sent 152 bytes D, [2023-12-21T02:03:40.789140 #499830] DEBUG -- socket[690]: read 976 bytes D, [2023-12-21T02:03:40.789268 #499830] DEBUG -- socket[690]: received packet nr 1 type 31 len 972 D, [2023-12-21T02:03:40.793965 #499830] DEBUG -- socket[690]: queueing packet nr 2 type 21 len 20 D, [2023-12-21T02:03:40.794053 #499830] DEBUG -- socket[690]: sent 24 bytes D, [2023-12-21T02:03:40.798639 #499830] DEBUG -- socket[690]: read 16 bytes D, [2023-12-21T02:03:40.798734 #499830] DEBUG -- socket[690]: received packet nr 2 type 21 len 12 D, [2023-12-21T02:03:40.799154 #499830] DEBUG -- net.ssh.authentication.session[6a4]: beginning authentication of `cisco' D, [2023-12-21T02:03:40.799411 #499830] DEBUG -- socket[690]: queueing packet nr 3 type 5 len 28 D, [2023-12-21T02:03:40.799496 #499830] DEBUG -- socket[690]: sent 96 bytes D, [2023-12-21T02:03:40.804217 #499830] DEBUG -- socket[690]: read 96 bytes D, [2023-12-21T02:03:40.804442 #499830] DEBUG -- socket[690]: received packet nr 3 type 6 len 28 D, [2023-12-21T02:03:40.804560 #499830] DEBUG -- net.ssh.authentication.session[6a4]: trying publickey D, [2023-12-21T02:03:40.804880 #499830] DEBUG -- net.ssh.authentication.agent[6b8]: connecting to ssh-agent E, [2023-12-21T02:03:40.804951 #499830] ERROR -- net.ssh.authentication.agent[6b8]: could not connect to ssh-agent: Agent not configured D, [2023-12-21T02:03:40.805199 #499830] DEBUG -- net.ssh.authentication.methods.publickey[6e0]: trying publickey (d9:d4:6c:b7:2d:8d:6a:7e:98:82:81:37:2d:07:ad:eb) alg rsa-sha2-256 D, [2023-12-21T02:03:40.805457 #499830] DEBUG -- socket[690]: queueing packet nr 4 type 50 len 620 D, [2023-12-21T02:03:40.805541 #499830] DEBUG -- socket[690]: sent 688 bytes D, [2023-12-21T02:03:40.815882 #499830] DEBUG -- socket[690]: read 0 bytes D, [2023-12-21T02:03:40.816047 #499830] DEBUG -- : 10.10.10.1 raised Net::SSH::Disconnect with msg "connection closed by remote host" D, [2023-12-21T02:03:40.816102 #499830] DEBUG -- : lib/oxidized/node.rb: Oxidized::SSH failed for router1.test.com D, [2023-12-21T02:03:40.821478 #499830] DEBUG -- : 10.10.10.1 raised Errno::ECONNREFUSED with msg "Connection refused - connect(2) for "10.10.10.1" port 23" D, [2023-12-21T02:03:40.821540 #499830] DEBUG -- : lib/oxidized/node.rb: Oxidized::Telnet failed for router1.test.com D, [2023-12-21T02:03:40.821602 #499830] DEBUG -- : lib/oxidized/job.rb: Config fetched for router1.test.com at 2023-12-21 05:03:40 UTC W, [2023-12-21T02:03:41.553782 #499830] WARN -- : cisco-iosxr/router1.test.com status no_connection, retries exhausted, giving up

Please let me know if you have some other concern.

Thank you very much.

aravaschio avatar Dec 21 '23 05:12 aravaschio

One small correction:

group: 3 ssh_kex: 4 ssh_host_key: 5 ssh_hmac: 6 ssh_encryption: 7

aravaschio avatar Dec 21 '23 05:12 aravaschio

Hi everyone.

After some more tests I can see the following message in the router: (sshd_authenticate) Requested public-key algorithm rsa-sha2-256 not supported

If I add: "PubkeyAcceptedAlgorithms +ssh-rsa", to my .ssh/config file I can access the router with the indicated private key. But I'm not finding a way to add that option to oxidized.

aravaschio avatar Dec 24 '23 11:12 aravaschio