topic Re: Changing ciphers and Key Encyption in Network Security

Changing ciphers and Key Encyption

Eric R. Jones — Wed, 12 Jan 2022 03:04:00 GMT

I'm working with Ansible 2.9 and when I try to run Ad-Hoc commands or plays I get errors stating my ssh

ansible -m ios_ping -a "dest=10.88.2.21" testboxes
SSH password:
ys2021_b2046r301_test.srf.local | FAILED! => {
"changed": false,
"msg": "Connection type ssh is not valid for this module"
}
Is there a way to change the Key Exchange algorithm from:

ip ssh server algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

to anyone of the below or a combinaton?

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Re: Changing ciphers and Key Encyption

Francesco Molino — Wed, 12 Jan 2022 04:53:46 GMT

you might have a cipher issue but the error message you gave is related to a missing network plugin.
do you have configured any host vars or group vars?

here a thread I’m sure can help you (this is a common issue):

https://www.reddit.com/r/ansible/comments/eqneiw/connection_type_ssh_is_not_valid_for_this_module/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

Re: Changing ciphers and Key Encyption

Eric R. Jones — Wed, 12 Jan 2022 05:18:50 GMT

I am assuming that "host" in the line "/home/admin/ansible/hosts" is the file which contains

[backups]

raphael ansible_host=192.168.1.20

where "backups" is under all:

children:

backups:

192.168.1.20

switch:

Please forgive my noobyness, I'm transitioning from Redhat Ansible training to real life Ansible deployment and this material wasn't covered, only how to code. Their labs are self contained and you just install them with wget and then start working.

Re: Changing ciphers and Key Encyption

balaji.bandi — Wed, 12 Jan 2022 09:21:10 GMT

check this thread how you can connect using ansible to devices using ciphers :

https://community.cisco.com/t5/other-cloud-subjects/cant-login-ssh-with-ansible-because-of-cipher-error-from-cisco/td-p/4174091

Re: Changing ciphers and Key Encyption

Eric R. Jones — Thu, 13 Jan 2022 03:44:18 GMT

Is it possible to add key exchange that will upgrade the switch from , diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1? Apparently sha1 is no longer STIG allowable. I thought that to upgrade my key exchanges I would have to upgrade the IOS.

Re: Changing ciphers and Key Encyption

balaji.bandi — Thu, 13 Jan 2022 12:05:12 GMT

upgrading the SSH v2 to get new cipher is addon and more secure.

Re: Changing ciphers and Key Encyption

Eric R. Jones — Fri, 14 Jan 2022 21:51:13 GMT

Looks like the 16.12.X train is heading to EOL/EOS this year. We will be moving to Amsterdam 17.3.X or 17.4.X. I read another post on an unrelated search that Key Exchanges of SHA1 are no longer used. This should solve our issue.

We are already using SSH V2 based on policy.

I've had to fix weak ciphers before, e.g. AES128-ctr, AES128-cbc but haven't ever done KEX.