Solved: Re: Failing to Fetch Host Keys

dretaylo · ‎03-23-2020

Hi all,

Has anyone encountered this issue before?

My configuration:

devices device loncaf-vpn-cluster-1
address loncaf-vpn-cluster-1.cisco.com port 22
device-type cli ned-id cisco-asa protocol ssh
authgroup nso-prd
state admin-state unlocked

I am attempting to ssh fetch-host-keys after committing using the NSO CLI however get the following message:

dretaylo@ncs(config-device-loncaf-vpn-cluster-1)# ssh fetch-host-keys

result failed

info Failed to connect to device loncaf-vpn-cluster-1: No supported SSH key exchange algorithms

Any help would be appreciated!

Sincerely,

Drew

vleijon · ‎03-25-2020

This is related to the same issue. NSO tightened up the key exchange algorithms it supports, and that causes problems with some devices who use older algorithms. There are a few possibilities, one is to configure the ASA to use more modern algorithms (not sure if this is possible on ASA, I know it is possible on some devices), another is to try a newer NSO where the requirements have been relaxed slightly again.

View solution in original post

lmanor · ‎03-24-2020

Try checking out this thread:

https://community.cisco.com/t5/nso-developer-hub-discussions/netsim-getting-quot-no-supported-host-key-algorithms-quot-when/td-p/3843412

dretaylo · ‎03-25-2020

Unfortunately the above doesn't seem to be a fix as I am seeing:

-----BEGIN RSA PRIVATE KEY-----

in my ssh_host_rsa_key file.

Could there be an issue if this seems to be coming solely from devices which are ASA OS on FPR hardware?

I don't have the issue with the rest of my fleet which are all ASAs on ASA hardware.

vleijon · ‎03-25-2020

This is related to the same issue. NSO tightened up the key exchange algorithms it supports, and that causes problems with some devices who use older algorithms. There are a few possibilities, one is to configure the ASA to use more modern algorithms (not sure if this is possible on ASA, I know it is possible on some devices), another is to try a newer NSO where the requirements have been relaxed slightly again.

dretaylo · ‎03-26-2020

Hi Viktor,

You are awesome!!! Thank you so much for leading me to the answer! (and nice talking to you again)

This is way over my head however I needed to change the ssh key-exchange on the ASAs.

Do you know why I am able to use the ssh key-exchange algorithm "dh-group1-sha1" or "dh-group14-sha1" however I cannot use "dh-group14-sha256" on the ASA?

Thanks again!

Drew

tcragg1 · ‎03-27-2020

What version are you running on your ASAs? It looks like support for dh-group14-sha256 was added in version 9.12, so if you are running an older version than that the option won't be available.

martin.gysi · ‎01-11-2022

I just figured out another reason for this symptom:

I'm using the MacOS version of NSO to develop. To install and run NSO on ARM64-based devices, the "Rosetta" x86-emulation needs to be used. For this, I have made a copy of my terminal application for which I selected the "open with rosetta" option.

When using the wrong terminal application (native ARM64), I run into "No supported SSH key exchange algorithms" issue. So, make sure to use the correct environment on MacOS!

rensobra · ‎07-26-2023

Another workaround also is to allow ssh-rsa from NSO global settings. (set devices global-settings ssh-algorithms public-key ssh-rsa)

This will allow NSO to fetch "unsecured" keys...