cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

236
Views
10
Helpful
5
Replies
Cisco Employee

SSH toward NSO error: no hostkey alg

We are using NSO 5.3

 

When ssh to NSO by using OpenSSH_5.3, I got following error:

[username@localhost ~]$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[afajri@sjc-obs-linux15 ~]$ ssh username@nso -p 2024
no hostkey alg

ssh config in /etc/ncs/ncs.conf

  <ssh>
    <algorithms>
      <kex>diffie-hellman-group14-sha1</kex>
      <mac>hmac-sha2-512,hmac-sha2-256,hmac-sha1</mac>
      <encryption>aes128-ctr,aes192-ctr,aes256-ctr</encryption>
    </algorithms>
  </ssh>

question: how to support elder version of SSH client?

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: SSH toward NSO error: no hostkey alg

I followed the steps on the @lmanor's response, it doesnt solved the problem.

I downgraded to NSO 5.2.1, and it works. the issue is seen on NSO 5.3

View solution in original post

Cisco Employee

Re: SSH toward NSO error: no hostkey alg

From NSO 5.2.1 to 5.3 the built-in SSH server supportsssh-ed25519 host keys and the default SSH host key algorithm has changed to ssh-ed25519 (instead of previous ssh-rsa).

OpenSSH client must be greater than version 6.5 to support this algorithm.

 

From NSO CHANGES file:

- ncs: NSO's built in SSH server now supports ssh-ed25519 host and user
keys. NSO now also supports ssh-ed25519 host keys for NETCONF NED
connections.
- ncs: NSO's default configuration, in the ncs.conf file written by the
installer, for SSH host keys is now "ssh-ed25519" instead of the
previous "ssh-rsa". To be able to connect to the built-in SSH server,
the SSH client therefore must have support for "ssh-ed25519" as host key
algorithm when the default configuration is in effect.
This means OpenSSH is now required to be version 6.5 or later, and the
python library paramiko, used by netconf-console, is required to be
version 2.2 or later.

 

 

View solution in original post

5 REPLIES 5
Cisco Employee

Re: SSH toward NSO error: no hostkey alg

Hey,

Please see "man ncs.conf" for the allowed settings. ssh -vv is also your friend as you can compare what the server offers vs what the client offers.
Cisco Employee

Re: SSH toward NSO error: no hostkey alg

Cisco Employee

Re: SSH toward NSO error: no hostkey alg

I followed the steps on the @lmanor's response, it doesnt solved the problem.

I downgraded to NSO 5.2.1, and it works. the issue is seen on NSO 5.3

View solution in original post

Cisco Employee

Re: SSH toward NSO error: no hostkey alg

From NSO 5.2.1 to 5.3 the built-in SSH server supportsssh-ed25519 host keys and the default SSH host key algorithm has changed to ssh-ed25519 (instead of previous ssh-rsa).

OpenSSH client must be greater than version 6.5 to support this algorithm.

 

From NSO CHANGES file:

- ncs: NSO's built in SSH server now supports ssh-ed25519 host and user
keys. NSO now also supports ssh-ed25519 host keys for NETCONF NED
connections.
- ncs: NSO's default configuration, in the ncs.conf file written by the
installer, for SSH host keys is now "ssh-ed25519" instead of the
previous "ssh-rsa". To be able to connect to the built-in SSH server,
the SSH client therefore must have support for "ssh-ed25519" as host key
algorithm when the default configuration is in effect.
This means OpenSSH is now required to be version 6.5 or later, and the
python library paramiko, used by netconf-console, is required to be
version 2.2 or later.

 

 

View solution in original post

Cisco Employee

Re: SSH toward NSO error: no hostkey alg

thanks for the explanation, @lmanor