Ssh

Ubuntu 密鑰交換算法

  • June 7, 2021

我正在嘗試使用 ansible ad-hoc 測試與幾個網路設備的連接,Ansible 安裝在 Ubuntu 20.04.2 LTS 上。

問題:SSH 不工作,因為設備的密鑰交換方法只有 ssh-RSA,伺服器不支持。試圖強制執行 ssh-RSA 但我知道它不可用,因為它沒有作為密碼協商的密鑰交換方法之一發送。

Ansible_輸出:

   (venv) omera@sandbox:~/code/ansible/play_06$ ansible all -m ping
edge_02 | UNREACHABLE! => {
   "changed": false,
   "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.201 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1",
   "unreachable": true
}
edge_01 | UNREACHABLE! => {
   "changed": false,
   "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.200 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1",
   "unreachable": true
}
core_01 | UNREACHABLE! => {
   "changed": false,
   "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.202 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1",
   "unreachable": true

edge_02_debug_output:

Edge_02#

   *Jun  7 07:49:14.738: SSH0: starting SSH control process
   *Jun  7 07:49:14.738: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
   *Jun  7 07:49:14.741: SSH0: protocol version id is - SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
   *Jun  7 07:49:14.741: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
   *Jun  7 07:49:14.741: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
   *Jun  7 07:49:14.741: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
   *Jun  7 07:49:14.741: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
   *Jun  7 07:49:14.741: SSH2 0: SSH2_MSG_KEXINIT sent
   *Jun  7 07:49:14.741: SSH2 0: SSH2_MSG_KEXINIT received
   *Jun  7 07:49:14.741: SSH2 0: kex: client->server enc:aes128-ctr mac:hmac-sha1 
   *Jun  7 07:49:14.741: SSH2 0: kex: server->client enc:aes128-ctr mac:hmac-sha1 
   *Jun  7 07:49:14.741: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

我擔心的是是否可以將 RSA 設置為 ubuntu 上的密鑰交換方法(ansible 正在使用 sshpass)?

ii  sshpass  1.06-1   amd64  Non-interactive ssh password authentication

預設情況下,ansible 使用 OpenSSH,這對舊 IOS 版本有點挑剔。您必須在 ~/.ssh/config 中啟用 Diffie–Hellman 密鑰交換和一些較舊的密碼。

KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

或者,您可以嘗試使用 paramiko 進行運輸。

[defaults]
inventory = /root/hosts
host_key_checking=False
timeout = 30
transport = paramiko

雖然這些說明通常適用於 IOS,但我相當肯定您在 IOU 設備上也面臨類似問題。

來源

引用自:https://serverfault.com/questions/1065936