How to set SSH KexAlgorithm for Ansible 2.3.0.0
4,424 views
Skip to first unread message
Boyan Sotirov
May 30, 2017, 8:35:31 AM5/30/17
to Ansible Project
Hi,
I'm using Ansible version 2.3.0.0 and I'm trying to connect to an old Cisco IOS router. The issue is, that the Cisco IOS still uses diffie-hellman-group1-sha1
So in order for this to work I naturally made local config for that particular host in the .ssh/config file to add this key exchange algorithm to the offer, and ssh works without any issues.
Now when I use Ansible, it looks like it does not even read that file and I've get an error.
boyan@m-server:/etc/ansible$ sudo ansible ka-ce001 -m raw -a 'show users' -c ssh
ka-ce001 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Unable to negotiate with 10.1.3.6 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1\r\n",
"unreachable": true
}
I used the explicit option -c ssh hoping that it would use the specific ssh configurations, but it didn't.
The question is, how can I make Ansible also using diffie-hellman-group1-sha1? I know it's considered not secure, it's an old box, which does not have the option to upgrade.
Regards,
Boyan
Dick Visser
May 30, 2017, 1:02:26 PM5/30/17
to ansible...@googlegroups.com
It sounds like 'sudo ansible' picks up different env vars than just
ssh-ing to the Cisco?
Out of interest, what is the reason you're doing 'sudo ansible'?
Dick
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/4f612917-db54-40ea-a6a6-3641c00bc9fe%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
ssh-ing to the Cisco?
Out of interest, what is the reason you're doing 'sudo ansible'?
Dick
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/4f612917-db54-40ea-a6a6-3641c00bc9fe%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
Boyan Sotirov
Jun 9, 2017, 8:03:21 AM6/9/17
to Ansible Project
Hi Dick,
It was out of inexperience with the tool. This one is solved now, but I have other issues, for which I'll open another thread.
Regards,
Boyan
Neil Mukhamediyev
Sep 13, 2017, 8:00:12 PM9/13/17
to Ansible Project
Hey Boyan, how did you solve this issue with Ansible?
thanks
Dave Cottlehuber
Sep 16, 2017, 4:10:21 AM9/16/17
to ansible...@googlegroups.com
# ./ansible.cfg
[defaults]
transport = ssh
[ssh_connection]
ssh_args = -F ./ssh_config
then add a ssh_config file with whatever you need in the same directory,
and ansible will pick it up.
IIRC you need transport to ensure that it uses "real" openssh to
connect.
A+
Dave
Reply all
Reply to author
Forward
0 new messages