cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Collective Intelligence resolved my SSH problems with NSO on the latest macOS Mojave!

55366
Views
60
Helpful
1
Comments
Cisco Employee
Every once in a while I get a craving to install and run some NSO examples just to keep my basic knowledge at a bare minimum. This time I responded to an ask to test out our updated NSO getting started guide. Downloading and installing is seldom an issue and now it was smooth as it’s is free for evaluation and the link is provided on DevNet. You can even Google it if you can’t find it! Following the step-by-step guide is really fun and you almost feel like a developer, which I was 20 years ago. This time though my problems started already when running the first examples with Netsims. First, I could not ssh into the CLI, but who cares when there are other ways in (ncs_cli -u admin), but when I couldn’t connect to the devices or do sync from I was stuck. I realized that it had to do with SSH in one way or another. I am not an expert in this area and suddenly recalled why I left engineering. Stubborn as I am, I tried too many times and after repeated failures I got angry. When my colleague asked me how the review process was going I had to admit my defeat and finally asked for help. Luckily, we have an internal channel and when I broadcasted by SSH shortcomings, I had an answer to my problems within 60 seconds! This fast response was due to several people contributing to the solution before me and I just got their conclusions in a nice summary. After a bit of fiddling with new key generation I was back on track! It turned out to be a shortcoming of the NSO installation program that failed to recognize the new key format in OpenSSH version that comes with Mojave!
 
Think about how much time and effort you can save by using collective intelligence in a community, but don’t forget that your contribution matters! Writing this blog post is my contribution!
 
The example I was running:  /examples.ncs/getting-started/using-ncs/1-simulated-ciso-ios
The error message: Unable to negotiate with 127.0.0.1 port 2024: no matching host key type found. Their offer:
 
The resolution:
* ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.
 
So, generate new keys in your install directory (in both NSO and Netsim directories) with -m pem and you will be back to normal.
 
$NCS_DIR/etc/ncs/ssh/
$NCS_DIR/netsim/confd/etc/confd/ssh
 
NWAGERTH-M-L58X:ssh nwagerth$ ssh-keygen -m pem -f ssh_host_rsa_key

Generating public/private rsa key pair.

ssh_host_rsa_key already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in ssh_host_rsa_key.

Your public key has been saved in ssh_host_rsa_key.pub.

The key fingerprint is:

 
//Nicklas 
1 Comment
Cisco Employee

Great - this solved my problem. There is one more step though. The netsim instances need to be re-created. For most (all?) NSO examples you can do 

$ make stop clean all start

This will stop the system, wipe it, recompile everything, including recreating the netsims, and starting again