Re: Changing ciphers and Key Encyption

Eric R. Jones · ‎01-11-2022

I'm working with Ansible 2.9 and when I try to run Ad-Hoc commands or plays I get errors stating my ssh

ansible -m ios_ping -a "dest=10.88.2.21" testboxes
SSH password:
ys2021_b2046r301_test.srf.local | FAILED! => {
"changed": false,
"msg": "Connection type ssh is not valid for this module"
}
Is there a way to change the Key Exchange algorithm from:

ip ssh server algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

to anyone of the below or a combinaton?

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Francesco Molino · ‎01-11-2022

Hi

you might have a cipher issue but the error message you gave is related to a missing network plugin.
do you have configured any host vars or group vars?

here a thread I’m sure can help you (this is a common issue):

https://www.reddit.com/r/ansible/comments/eqneiw/connection_type_ssh_is_not_valid_for_this_module/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Eric R. Jones · ‎01-11-2022

I am assuming that "host" in the line "/home/admin/ansible/hosts" is the file which contains

[backups]

raphael ansible_host=192.168.1.20

where "backups" is under all:

children:

backups:

192.168.1.20

switch:

Please forgive my noobyness, I'm transitioning from Redhat Ansible training to real life Ansible deployment and this material wasn't covered, only how to code. Their labs are self contained and you just install them with wget and then start working.

balaji.bandi · ‎01-12-2022

check this thread how you can connect using ansible to devices using ciphers :

https://community.cisco.com/t5/other-cloud-subjects/cant-login-ssh-with-ansible-because-of-cipher-error-from-cisco/td-p/4174091

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Eric R. Jones · ‎01-12-2022

Is it possible to add key exchange that will upgrade the switch from , diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1? Apparently sha1 is no longer STIG allowable. I thought that to upgrade my key exchanges I would have to upgrade the IOS.

balaji.bandi · ‎01-13-2022

upgrading the SSH v2 to get new cipher is addon and more secure.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Eric R. Jones · ‎01-14-2022

Looks like the 16.12.X train is heading to EOL/EOS this year. We will be moving to Amsterdam 17.3.X or 17.4.X. I read another post on an unrelated search that Key Exchanges of SHA1 are no longer used. This should solve our issue.

We are already using SSH V2 based on policy.

I've had to fix weak ciphers before, e.g. AES128-ctr, AES128-cbc but haven't ever done KEX.

ej