Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11548
Views
10
Helpful
5
Replies

SSH toward NSO error: no hostkey alg

Go to solution
afajri
Cisco Employee
Cisco Employee

‎12-12-2019 10:09 AM - edited ‎12-12-2019 10:10 AM

We are using NSO 5.3

 

When ssh to NSO by using OpenSSH_5.3, I got following error:

[username@localhost ~]$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[afajri@sjc-obs-linux15 ~]$ ssh username@nso -p 2024
no hostkey alg

ssh config in /etc/ncs/ncs.conf

  <ssh>
    <algorithms>
      <kex>diffie-hellman-group14-sha1</kex>
      <mac>hmac-sha2-512,hmac-sha2-256,hmac-sha1</mac>
      <encryption>aes128-ctr,aes192-ctr,aes256-ctr</encryption>
    </algorithms>
  </ssh>

question: how to support elder version of SSH client?

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
afajri
Cisco Employee
Cisco Employee

‎01-07-2020 09:06 AM

I followed the steps on the @lmanor's response, it doesnt solved the problem.

I downgraded to NSO 5.2.1, and it works. the issue is seen on NSO 5.3

View solution in original post

0 Helpful

Go to solution
lmanor
Cisco Employee
Cisco Employee

‎01-07-2020 09:16 AM

From NSO 5.2.1 to 5.3 the built-in SSH server supportsssh-ed25519 host keys and the default SSH host key algorithm has changed to ssh-ed25519 (instead of previous ssh-rsa).

OpenSSH client must be greater than version 6.5 to support this algorithm.

 

From NSO CHANGES file:

- ncs: NSO's built in SSH server now supports ssh-ed25519 host and user
keys. NSO now also supports ssh-ed25519 host keys for NETCONF NED
connections.
- ncs: NSO's default configuration, in the ncs.conf file written by the
installer, for SSH host keys is now "ssh-ed25519" instead of the
previous "ssh-rsa". To be able to connect to the built-in SSH server,
the SSH client therefore must have support for "ssh-ed25519" as host key
algorithm when the default configuration is in effect.
This means OpenSSH is now required to be version 6.5 or later, and the
python library paramiko, used by netconf-console, is required to be
version 2.2 or later.

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
frjansso
Cisco Employee
Cisco Employee

‎12-16-2019 02:21 AM

Hey,

Please see "man ncs.conf" for the allowed settings. ssh -vv is also your friend as you can compare what the server offers vs what the client offers.

Go to solution
afajri
Cisco Employee
Cisco Employee

‎01-07-2020 09:06 AM

I followed the steps on the @lmanor's response, it doesnt solved the problem.

I downgraded to NSO 5.2.1, and it works. the issue is seen on NSO 5.3

0 Helpful

Go to solution
lmanor
Cisco Employee
Cisco Employee

‎01-07-2020 09:16 AM

From NSO 5.2.1 to 5.3 the built-in SSH server supportsssh-ed25519 host keys and the default SSH host key algorithm has changed to ssh-ed25519 (instead of previous ssh-rsa).

OpenSSH client must be greater than version 6.5 to support this algorithm.

 

From NSO CHANGES file:

- ncs: NSO's built in SSH server now supports ssh-ed25519 host and user
keys. NSO now also supports ssh-ed25519 host keys for NETCONF NED
connections.
- ncs: NSO's default configuration, in the ncs.conf file written by the
installer, for SSH host keys is now "ssh-ed25519" instead of the
previous "ssh-rsa". To be able to connect to the built-in SSH server,
the SSH client therefore must have support for "ssh-ed25519" as host key
algorithm when the default configuration is in effect.
This means OpenSSH is now required to be version 6.5 or later, and the
python library paramiko, used by netconf-console, is required to be
version 2.2 or later.

 

 

0 Helpful

Go to solution
afajri
Cisco Employee
Cisco Employee
In response to lmanor

‎01-07-2020 09:22 AM

thanks for the explanation, @lmanor 

0 Helpful
Customers Also Viewed These Support Documents