Solved: NSO 5.6.3, Failed to connect / authenticate to device

bfinnema · ‎12-22-2021

I have installed NSO 5.6.3 on my Mac, and when registering a devices and trying to fetch host keys, I get this message for an IOS-XR device:

admin@ncs# devices device ncs55A2 ssh fetch-host-keys
result failed
info Failed to connect to device ncs55A2: Protocol error

And for an IOS device:

admin@ncs# devices device c4503 ssh fetch-host-keys
result failed
info Failed to authenticate towards device c4503: No supported SSH key exchange algorithms

I have these devices working with an older 5.2.2 installation of NSO on CentOS.

The same NSO 5.6.3 installation on my Mac works fine with netsim devices. It is only with the real HW devices that I have the issue.

I installed NSO 5.6.2 on an Ubuntu linux VM, and I see exactly the same issue.

I checked these articles:

https://community.cisco.com/t5/nso-developer-hub-discussions/netsim-getting-quot-no-supported-host-key-algorithms-quot-when/td-p/3843412

https://community.cisco.com/t5/nso-developer-hub-discussions/failing-to-fetch-host-keys/td-p/4050877

But I do not think they contain the solution.

Any ideas?

admin@ncs# show running-config devices device ncs55A2
devices device ncs55A2
 address   10.101.180.19
 authgroup dksplab
 device-type cli ned-id cisco-iosxr-cli-7.38
 device-type cli protocol ssh
 state admin-state unlocked
 config
  admin
   exit-admin-config
  !
 !
!

devices authgroups group dksplab
 default-map remote-name   cisco
 default-map remote-password $9$VepU/RfgjrOXh3YQNDZJAm3TJ1hlvvqnYNoeflEMyIs=
 default-map remote-secondary-password $9$FoWXBSxSV7j9YTxmdut99TCMnm5ZO2GvJsw2C9AmNgA=
!

vleijon · ‎12-22-2021

Yes, in 5.6 there are some changes, in particular ssh-rsa was dropped as default protocol. You can change this by setting the ssh-algorithms setting on your device.

View solution in original post

Nabsch · ‎12-23-2021

You can try what Viktor suggest. You can also compared the supported algorithms on NSO and your devices.

admin@ncs# show ncs-state version
ncs-state version 5.6
admin@ncs#
admin@ncs#
admin@ncs# show running-config devices global-settings ssh-algorithms | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
devices global-settings ssh-algorithms kex [ curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 curve448-sha512 ecdh-sha2-nistp521 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ]
devices global-settings ssh-algorithms mac [ AEAD_AES_128_GCM AEAD_AES_256_GCM hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 ]
devices global-settings ssh-algorithms cipher [ aes128-gcm@openssh.com AEAD_AES_128_GCM chacha20-poly1305@openssh.com aes256-gcm@openssh.com AEAD_AES_256_GCM aes128-ctr aes192-ctr aes256-ctr ]
devices global-settings ssh-algorithms compression [ none zlib zlib@openssh.com ]
devices global-settings ssh-algorithms dh-group min-size 1024
devices global-settings ssh-algorithms dh-group preferred-size 2048
devices global-settings ssh-algorithms dh-group max-size 8192

- ncs: Add support for configurable SSH algorithms in NSO making it
possible to decide which algorithms should be used when connecting to a
device. The new model is available as a global setting underneath
/devices/global-settings, but can also be configured per device, device
profile, cluster node or live status protocol.
In addition to making the algorithms configurable, more algorithms have
been added to the list of supported algorithms and the fetch-host keys
action has been updated to only fetch host keys for the public key
algorithms configured for a device.
It is important to note that the ssh-rsa and ssh-dss algorithms have
been removed from the default list of configured public key algorithms
and therefore to be able to communicate with devices only supporting
these algorithms one has to manually configure them in NSO for these
devices.

I suggest you to try by adding ssh-rsa and ssh-dss to the ssh-algorithms list. You need to do a show then copy list again and add ssh-rsa ssh-dss at the end of the list .

admin@ncs# show running-config devices global-settings  ssh-algorithms  public-key | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
admin@ncs# conf
Entering configuration mode terminal
admin@ncs(config)# devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss  ]
admin@ncs(config)# commit dry-run
cli {
    local-node {
        data  devices {
                  global-settings {
                      ssh-algorithms {
             -            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ];
             +            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ];
                      }
                  }
              }
    }
}
admin@ncs(config)# commit
Commit complete.

View solution in original post

vleijon · ‎12-22-2021

Yes, in 5.6 there are some changes, in particular ssh-rsa was dropped as default protocol. You can change this by setting the ssh-algorithms setting on your device.

Nabsch · ‎12-23-2021

You can try what Viktor suggest. You can also compared the supported algorithms on NSO and your devices.

admin@ncs# show ncs-state version
ncs-state version 5.6
admin@ncs#
admin@ncs#
admin@ncs# show running-config devices global-settings ssh-algorithms | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
devices global-settings ssh-algorithms kex [ curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 curve448-sha512 ecdh-sha2-nistp521 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ]
devices global-settings ssh-algorithms mac [ AEAD_AES_128_GCM AEAD_AES_256_GCM hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 ]
devices global-settings ssh-algorithms cipher [ aes128-gcm@openssh.com AEAD_AES_128_GCM chacha20-poly1305@openssh.com aes256-gcm@openssh.com AEAD_AES_256_GCM aes128-ctr aes192-ctr aes256-ctr ]
devices global-settings ssh-algorithms compression [ none zlib zlib@openssh.com ]
devices global-settings ssh-algorithms dh-group min-size 1024
devices global-settings ssh-algorithms dh-group preferred-size 2048
devices global-settings ssh-algorithms dh-group max-size 8192

- ncs: Add support for configurable SSH algorithms in NSO making it
possible to decide which algorithms should be used when connecting to a
device. The new model is available as a global setting underneath
/devices/global-settings, but can also be configured per device, device
profile, cluster node or live status protocol.
In addition to making the algorithms configurable, more algorithms have
been added to the list of supported algorithms and the fetch-host keys
action has been updated to only fetch host keys for the public key
algorithms configured for a device.
It is important to note that the ssh-rsa and ssh-dss algorithms have
been removed from the default list of configured public key algorithms
and therefore to be able to communicate with devices only supporting
these algorithms one has to manually configure them in NSO for these
devices.

I suggest you to try by adding ssh-rsa and ssh-dss to the ssh-algorithms list. You need to do a show then copy list again and add ssh-rsa ssh-dss at the end of the list .

admin@ncs# show running-config devices global-settings  ssh-algorithms  public-key | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
admin@ncs# conf
Entering configuration mode terminal
admin@ncs(config)# devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss  ]
admin@ncs(config)# commit dry-run
cli {
    local-node {
        data  devices {
                  global-settings {
                      ssh-algorithms {
             -            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ];
             +            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ];
                      }
                  }
              }
    }
}
admin@ncs(config)# commit
Commit complete.