Solved: Re: SSH key exchange failed

abhinavr5289 · ‎04-05-2022

Hi,

I am using nso-5.7.1.linux.x86_64.signed.bin in the Local VM, here I am getting below ssh-key Error.

admin@ncs(config-device-Dev_1)# ssh fetch-host-keys result failed
info Failed to authenticate towards device Dev_1: SSH key exchange failed

Regards

Abhinav Raghav

Nabsch · ‎04-05-2022

Hello,

In NSO 5.6 and later, there is some change in the default ssh-algorithm supported by NSO.

Someone asked before in the forum , here the link to the previous post.

- ncs: Add support for configurable SSH algorithms in NSO making it
possible to decide which algorithms should be used when connecting to a
device. The new model is available as a global setting underneath
/devices/global-settings, but can also be configured per device, device
profile, cluster node or live status protocol.
In addition to making the algorithms configurable, more algorithms have
been added to the list of supported algorithms and the fetch-host keys
action has been updated to only fetch host keys for the public key
algorithms configured for a device.
It is important to note that the ssh-rsa and ssh-dss algorithms have
been removed from the default list of configured public key algorithms
and therefore to be able to communicate with devices only supporting
these algorithms one has to manually configure them in NSO for these
devices.

I suggest you to try by adding ssh-rsa and ssh-dss to the ssh-algorithms list. You need to do a show then copy list again and add ssh-rsa ssh-dss at the end of the list .

admin@ncs# show running-config devices global-settings  ssh-algorithms  public-key | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
admin@ncs# conf
Entering configuration mode terminal
admin@ncs(config)# devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss  ]
admin@ncs(config)# commit dry-run
cli {
    local-node {
        data  devices {
                  global-settings {
                      ssh-algorithms {
             -            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ];
             +            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ];
                      }
                  }
              }
    }
}
admin@ncs(config)# commit
Commit complete.

Then perform a ssh fetch-host-keys

View solution in original post

Nabsch · ‎04-05-2022

Hello,

In NSO 5.6 and later, there is some change in the default ssh-algorithm supported by NSO.

Someone asked before in the forum , here the link to the previous post.

- ncs: Add support for configurable SSH algorithms in NSO making it
possible to decide which algorithms should be used when connecting to a
device. The new model is available as a global setting underneath
/devices/global-settings, but can also be configured per device, device
profile, cluster node or live status protocol.
In addition to making the algorithms configurable, more algorithms have
been added to the list of supported algorithms and the fetch-host keys
action has been updated to only fetch host keys for the public key
algorithms configured for a device.
It is important to note that the ssh-rsa and ssh-dss algorithms have
been removed from the default list of configured public key algorithms
and therefore to be able to communicate with devices only supporting
these algorithms one has to manually configure them in NSO for these
devices.

I suggest you to try by adding ssh-rsa and ssh-dss to the ssh-algorithms list. You need to do a show then copy list again and add ssh-rsa ssh-dss at the end of the list .

admin@ncs# show running-config devices global-settings  ssh-algorithms  public-key | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
admin@ncs# conf
Entering configuration mode terminal
admin@ncs(config)# devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss  ]
admin@ncs(config)# commit dry-run
cli {
    local-node {
        data  devices {
                  global-settings {
                      ssh-algorithms {
             -            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ];
             +            public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ];
                      }
                  }
              }
    }
}
admin@ncs(config)# commit
Commit complete.

Then perform a ssh fetch-host-keys