Failed to connect to the host via ssh: OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021

[Karthik Kumaraswamy]

Hi Team
I am receiving below error while connecting to a server via an isolated node

<172.20.1.111> (255, b'', b'OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug2: checking match for \'final all\' host 172.20.1.111 originally 172.20.1.111\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched \'final\'\r\ndebug2: match not found\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-gr…

fatal: [cyclonetest]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug2: checking match for 'final all' host 172.20.1.111 originally 172.20.1.111\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'\r\ndebug2: match not found\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve25519-sha25…

Please advise me on this

[Karthik Kumaraswamy]

####Variables that are passed

ssh_proxy: 172.20.1.10
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q awx-linux@{{ssh_proxy}}"'

####Inventory:

172.20.1.111

[Jeremy Bouse]

My initial question would be what crypto algorithm is the key you're attempting to connect with? As you show that FIPS is enabled and I'm assuming this is on a RHEL server the crypto policy is restrictive and some keys simply won't be able to connect. I know this was the case with my key that is ssh-ed25519 and I had to use an ssh-rsa key instead in the past.

[Karthik Kumaraswamy]

It's ssh-rsa in my case.

I am able to connect to the hosts if i pass "-o StrictHostKeyChecking=no" as below

ssh_proxy: 172.20.1.10
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o ProxyCommand="ssh -o StrictHostKeyChecking=no -W %h:%p -q awx-linux@{{ssh_proxy}}"'

However, I would like to understand why this is happening ? Please note, our AWX env is running on GKE

Thanks,

Karthik

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally prohibited from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/9dcff449-2223-4568-b39f-d31637b596f0n%40googlegroups.com.

[Jeremy Bouse]

Oh okay... So your AWX task needs to go through a jump box using the ProxyCommand to reach the host then? In that case it does make sense that adding the additional '-o StrictHostKeyChecking=no` before the ProxyCommand option would work. The `-o StrictHostKeyChecking=no` included in the ProxyCommand is specific to the ProxyCommand call the is being executed. The `-o StrictHostKeyChecking=no` outside the ProxyCommand is going to be when checking the final host key when jumping through the jump box. I can't recall if the option would be passed to the ProxyCommand as well and only need to be added the initial time or not and still work.

[Karthik Kumaraswamy]

Do we have any risk involved with this as we’re using strict host key checking as false during every connection ??

You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/AzB5Q6G7Oiw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0069c006-a099-4c54-a2ca-a0d95b51fb64n%40googlegroups.com.

[Jeremy Bouse]

 Unless you're explicitly setting the host keys or using Vault host key signing the SSH host key checking is more of just an alert when the host key seen has changed. When connecting to machines that are ephemeral in nature like the cloud there is a good chance that host keys will change especially if a new instance is brought up to replace and older instance. The risk involved would be one that would need to be assessed for your particular environment