AWX - EE-latest issue with supported key types while using ssh key

[Sinnl]

Hi,

I recently started seeing almost twice as many systems failing and below error in the logs

"Make sure this host can be reached over ssh: Unable to negotiate with XX.XX.XX.XXX port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss"

This is older system but we do have a quite a few of those and need to keep them around and be able to automate them.

I have run the same job against same server using EE 21.11.0 and it worked with no issues so this is limited to EE-latest.

Is this a security "enhancement" and can this be worked around for older systems passing ssh args to define support for older key types?

Thank you,

L.

[Sinnl]

NOTE: The same behaviour can be observed when using only username and password. 

I have removed the ssh key from credentials used to execute the job and I still get the same error noted in previous message. 

Once agin limited only to EE-latest

L.

[AWX Project]

ee latest is based on the centos stream9, whereas ee 21.11.0 stream8, so that might be causing issues with unsupported ssh key types. You may want to investigate the recommended ssh key types for stream 9 systems.

 

some more here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

You may need to create a custom EE that will allow you to establish ssh connections to that machine

Let us know if you have more questions,

AWX Team

[Sinnl]

Hi,

As I do understand the security implications it would be extremely helpful to be able to overwrite this behaviour on host/group level with SSH args (or similar approach) while still using EE-latest. 

The ability to automate against entire environment is paramount even or especially when that environment still contains legacy systems. 

Thank you,

L.

[Michael Kelly]

This sounds very like a problem we ran into recently.

Newer versions of OpenSSH don't support the ssh-rsa algorithm by default.

However, there is a workaround if you cannot upgrade your remote hosts.

All you need to do is add the following lines to the start of your .ssh/config file.

HostKeyAlgorithms +ssh-rsa

Host *

    PubkeyAcceptedKeyTypes +ssh-rsa

You can replace the  the

Host *

    PubkeyAcceptedKeyTypes +ssh-rsa

entry with individual entries for each affected host if you want.

HTH.