Cannot access switch via ssh with ansible

interfacedy · ‎01-08-2022

Hi I have an issue when accessing a switch-192.168.1.15 via ssh with ansible. The ssh is configured correctly in the switch because the switch can be accessed by its neighbor switch via ssh. Please see below screenshot. Anyone can share any solutions? Thank you!

Flavio Miranda · ‎01-08-2022

Hi

Are you running SSH version 2 on the switch ?

Take a look on this video.

https://www.youtube.com/watch?v=wbVZkb8ocH4

interfacedy · ‎01-08-2022

Thank you for your reply. I watched it and tried it again exactly on the the youtube. But it still has the exact same error message. I have exact same lab as his with ssh version2. but mine cannot work. its weired.

balaji.bandi · ‎01-08-2022

Try :

ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 admin@192.168.1.15

or

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15

If you have access to console to switch, show log give you more information.

Like example : below logs :

*Oct 24 17:15:22.994: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

interfacedy · ‎01-08-2022

Please see below. The error changed. The second peicture is from the switch

balaji.bandi · ‎01-09-2022

Check and see Linux has cipher :

$ ssh -Q cipher

try :

ssh -vvv -c aes256-cbc admin@192.168.1.15

check you can add to Linux ciphers

https://geekstuff.org/ssh-no-matching-cipher-found/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

interfacedy · ‎01-09-2022

Nice link. Tried several ciphers, but none of them cannot work. Below is ssh to router(7200/ios ver15), which is similar with the previous switch.

admin1@DESKTOP-935CSD2:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

admin1@DESKTOP-935CSD2:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

admin1@DESKTOP-935CSD2:~$ ssh -vvv -c aes256-cbc admin@192.168.1.16
OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.16 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.16 [192.168.1.16] port 22.
debug1: Connection established.
debug1: identity file /home/admin1/.ssh/id_rsa type -1
debug1: identity file /home/admin1/.ssh/id_rsa-cert type -1
debug1: identity file /home/admin1/.ssh/id_dsa type -1
debug1: identity file /home/admin1/.ssh/id_dsa-cert type -1
debug1: identity file /home/admin1/.ssh/id_ecdsa type -1
debug1: identity file /home/admin1/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/admin1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/admin1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/admin1/.ssh/id_ed25519 type -1
debug1: identity file /home/admin1/.ssh/id_ed25519-cert type -1
debug1: identity file /home/admin1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/admin1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/admin1/.ssh/id_xmss type -1
debug1: identity file /home/admin1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.16:22 as 'admin'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-cbc
debug2: ciphers stoc: aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

balaji.bandi · ‎01-09-2022

Can you post from the device show run | in ssh

Looks like your device have old legacy config,

check SSH v1 and v2 troubleshoot :

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

interfacedy · ‎01-09-2022

R7200#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4O7wAiNzdD2WG4Efq+loV5GQVhxsfJCVFjejNG6Y2
3WmEt80EPtLoB8AhcmYuvV/1SPc9z9jQ532D9ri2tO7SACBXtBiTzMYpnp9Y/CZLtnNOWEB5sgEMH2ri
PfyBr5Pksfc4KC0NcUZZnieC5hBRZRZtuLqPDUjjeWDGj8kt6Q==
R7200#
R7200#sh run | i ssh
ip ssh version 2
transport input telnet ssh

balaji.bandi · ‎01-09-2022

Minimum expected Diffie Hellman key size : 1024 bits

try below guide :

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help