12-22-2021 12:18 AM
I have installed NSO 5.6.3 on my Mac, and when registering a devices and trying to fetch host keys, I get this message for an IOS-XR device:
admin@ncs# devices device ncs55A2 ssh fetch-host-keys result failed info Failed to connect to device ncs55A2: Protocol error
And for an IOS device:
admin@ncs# devices device c4503 ssh fetch-host-keys result failed info Failed to authenticate towards device c4503: No supported SSH key exchange algorithms
I have these devices working with an older 5.2.2 installation of NSO on CentOS.
The same NSO 5.6.3 installation on my Mac works fine with netsim devices. It is only with the real HW devices that I have the issue.
I installed NSO 5.6.2 on an Ubuntu linux VM, and I see exactly the same issue.
I checked these articles:
https://community.cisco.com/t5/nso-developer-hub-discussions/failing-to-fetch-host-keys/td-p/4050877
But I do not think they contain the solution.
Any ideas?
admin@ncs# show running-config devices device ncs55A2 devices device ncs55A2 address 10.101.180.19 authgroup dksplab device-type cli ned-id cisco-iosxr-cli-7.38 device-type cli protocol ssh state admin-state unlocked config admin exit-admin-config ! ! !
devices authgroups group dksplab default-map remote-name cisco default-map remote-password $9$VepU/RfgjrOXh3YQNDZJAm3TJ1hlvvqnYNoeflEMyIs= default-map remote-secondary-password $9$FoWXBSxSV7j9YTxmdut99TCMnm5ZO2GvJsw2C9AmNgA= !
Solved! Go to Solution.
12-22-2021 01:43 AM
12-23-2021 03:17 PM - edited 12-23-2021 03:18 PM
You can try what Viktor suggest. You can also compared the supported algorithms on NSO and your devices.
admin@ncs# show ncs-state version ncs-state version 5.6 admin@ncs# admin@ncs# admin@ncs# show running-config devices global-settings ssh-algorithms | details devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ] devices global-settings ssh-algorithms kex [ curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 curve448-sha512 ecdh-sha2-nistp521 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ] devices global-settings ssh-algorithms mac [ AEAD_AES_128_GCM AEAD_AES_256_GCM hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 ] devices global-settings ssh-algorithms cipher [ aes128-gcm@openssh.com AEAD_AES_128_GCM chacha20-poly1305@openssh.com aes256-gcm@openssh.com AEAD_AES_256_GCM aes128-ctr aes192-ctr aes256-ctr ] devices global-settings ssh-algorithms compression [ none zlib zlib@openssh.com ] devices global-settings ssh-algorithms dh-group min-size 1024 devices global-settings ssh-algorithms dh-group preferred-size 2048 devices global-settings ssh-algorithms dh-group max-size 8192
- ncs: Add support for configurable SSH algorithms in NSO making it
possible to decide which algorithms should be used when connecting to a
device. The new model is available as a global setting underneath
/devices/global-settings, but can also be configured per device, device
profile, cluster node or live status protocol.
In addition to making the algorithms configurable, more algorithms have
been added to the list of supported algorithms and the fetch-host keys
action has been updated to only fetch host keys for the public key
algorithms configured for a device.
It is important to note that the ssh-rsa and ssh-dss algorithms have
been removed from the default list of configured public key algorithms
and therefore to be able to communicate with devices only supporting
these algorithms one has to manually configure them in NSO for these
devices.
I suggest you to try by adding ssh-rsa and ssh-dss to the ssh-algorithms list. You need to do a show then copy list again and add ssh-rsa ssh-dss at the end of the list .
admin@ncs# show running-config devices global-settings ssh-algorithms public-key | details devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ] admin@ncs# conf Entering configuration mode terminal admin@ncs(config)# devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ] admin@ncs(config)# commit dry-run cli { local-node { data devices { global-settings { ssh-algorithms { - public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]; + public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ]; } } } } } admin@ncs(config)# commit Commit complete.
12-22-2021 01:43 AM
12-23-2021 03:17 PM - edited 12-23-2021 03:18 PM
You can try what Viktor suggest. You can also compared the supported algorithms on NSO and your devices.
admin@ncs# show ncs-state version ncs-state version 5.6 admin@ncs# admin@ncs# admin@ncs# show running-config devices global-settings ssh-algorithms | details devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ] devices global-settings ssh-algorithms kex [ curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 curve448-sha512 ecdh-sha2-nistp521 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ] devices global-settings ssh-algorithms mac [ AEAD_AES_128_GCM AEAD_AES_256_GCM hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 ] devices global-settings ssh-algorithms cipher [ aes128-gcm@openssh.com AEAD_AES_128_GCM chacha20-poly1305@openssh.com aes256-gcm@openssh.com AEAD_AES_256_GCM aes128-ctr aes192-ctr aes256-ctr ] devices global-settings ssh-algorithms compression [ none zlib zlib@openssh.com ] devices global-settings ssh-algorithms dh-group min-size 1024 devices global-settings ssh-algorithms dh-group preferred-size 2048 devices global-settings ssh-algorithms dh-group max-size 8192
- ncs: Add support for configurable SSH algorithms in NSO making it
possible to decide which algorithms should be used when connecting to a
device. The new model is available as a global setting underneath
/devices/global-settings, but can also be configured per device, device
profile, cluster node or live status protocol.
In addition to making the algorithms configurable, more algorithms have
been added to the list of supported algorithms and the fetch-host keys
action has been updated to only fetch host keys for the public key
algorithms configured for a device.
It is important to note that the ssh-rsa and ssh-dss algorithms have
been removed from the default list of configured public key algorithms
and therefore to be able to communicate with devices only supporting
these algorithms one has to manually configure them in NSO for these
devices.
I suggest you to try by adding ssh-rsa and ssh-dss to the ssh-algorithms list. You need to do a show then copy list again and add ssh-rsa ssh-dss at the end of the list .
admin@ncs# show running-config devices global-settings ssh-algorithms public-key | details devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ] admin@ncs# conf Entering configuration mode terminal admin@ncs(config)# devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ] admin@ncs(config)# commit dry-run cli { local-node { data devices { global-settings { ssh-algorithms { - public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]; + public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ]; } } } } } admin@ncs(config)# commit Commit complete.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide