cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3053
Views
0
Helpful
6
Replies

Changing ciphers and Key Encyption

Eric R. Jones
Level 4
Level 4

I'm working with Ansible 2.9 and when I try to run Ad-Hoc commands or plays I get errors stating my ssh 

ansible -m ios_ping -a "dest=10.88.2.21" testboxes
SSH password:
ys2021_b2046r301_test.srf.local | FAILED! => {
"changed": false,
"msg": "Connection type ssh is not valid for this module"
}
Is there a way to change the Key Exchange algorithm from:

ip ssh server algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

 

to anyone of the below or a combinaton?

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

 

 

6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni

Hi

you might have a cipher issue but the error message you gave is related to a missing network plugin. 
do you have configured any host vars or group vars?

here a thread I’m sure can help you (this is a common issue):

https://www.reddit.com/r/ansible/comments/eqneiw/connection_type_ssh_is_not_valid_for_this_module/?utm_source=share&utm_medium=ios_app&utm_name=iossmf


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Eric R. Jones
Level 4
Level 4

I am assuming that "host" in the line "/home/admin/ansible/hosts" is the file which contains

[backups]

raphael ansible_host=192.168.1.20

where "backups" is under all:

                                             children:

                                                 backups:

                                                   192.168.1.20

                                                  switch:

                                                    <someIP>

Please forgive my noobyness, I'm transitioning from Redhat Ansible training to real life Ansible deployment and this material wasn't covered, only how to code. Their labs are self contained and you just install them with wget and then start working.

balaji.bandi
Hall of Fame
Hall of Fame

check this thread how you can connect using ansible to devices using ciphers :

 

https://community.cisco.com/t5/other-cloud-subjects/cant-login-ssh-with-ansible-because-of-cipher-error-from-cisco/td-p/4174091

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Eric R. Jones
Level 4
Level 4

Is it possible to add key exchange that will upgrade the switch from , diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1? Apparently sha1 is no longer STIG allowable. I thought that to upgrade my key exchanges I would have to upgrade the IOS.

 

upgrading the SSH v2 to get new cipher is addon and more secure.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Looks like the 16.12.X train is heading to EOL/EOS this year. We will be moving to Amsterdam 17.3.X or 17.4.X. I read another post on an unrelated search that Key Exchanges of SHA1 are no longer used. This should solve our issue.

We are already using SSH V2 based on policy.

I've had to fix weak ciphers before, e.g. AES128-ctr, AES128-cbc but haven't ever done KEX.

 

ej

Review Cisco Networking for a $25 gift card