Ssh
Ubuntu 密鑰交換算法
我正在嘗試使用 ansible ad-hoc 測試與幾個網路設備的連接,Ansible 安裝在 Ubuntu 20.04.2 LTS 上。
問題:SSH 不工作,因為設備的密鑰交換方法只有 ssh-RSA,伺服器不支持。試圖強制執行 ssh-RSA 但我知道它不可用,因為它沒有作為密碼協商的密鑰交換方法之一發送。
Ansible_輸出:
(venv) omera@sandbox:~/code/ansible/play_06$ ansible all -m ping edge_02 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.201 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1", "unreachable": true } edge_01 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.200 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1", "unreachable": true } core_01 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Unable to negotiate with 192.168.1.202 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1", "unreachable": true
edge_02_debug_output:
Edge_02# *Jun 7 07:49:14.738: SSH0: starting SSH control process *Jun 7 07:49:14.738: SSH0: sent protocol version id SSH-1.99-Cisco-1.25 *Jun 7 07:49:14.741: SSH0: protocol version id is - SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 *Jun 7 07:49:14.741: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa *Jun 7 07:49:14.741: SSH2 0: kexinit sent: hostkey algo = ssh-rsa *Jun 7 07:49:14.741: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc *Jun 7 07:49:14.741: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96 *Jun 7 07:49:14.741: SSH2 0: SSH2_MSG_KEXINIT sent *Jun 7 07:49:14.741: SSH2 0: SSH2_MSG_KEXINIT received *Jun 7 07:49:14.741: SSH2 0: kex: client->server enc:aes128-ctr mac:hmac-sha1 *Jun 7 07:49:14.741: SSH2 0: kex: server->client enc:aes128-ctr mac:hmac-sha1 *Jun 7 07:49:14.741: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
我擔心的是是否可以將 RSA 設置為 ubuntu 上的密鑰交換方法(ansible 正在使用 sshpass)?
ii sshpass 1.06-1 amd64 Non-interactive ssh password authentication
預設情況下,ansible 使用 OpenSSH,這對舊 IOS 版本有點挑剔。您必須在 ~/.ssh/config 中啟用 Diffie–Hellman 密鑰交換和一些較舊的密碼。
KexAlgorithms +diffie-hellman-group1-sha1 Ciphers +aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
或者,您可以嘗試使用 paramiko 進行運輸。
[defaults] inventory = /root/hosts host_key_checking=False timeout = 30 transport = paramiko
雖然這些說明通常適用於 IOS,但我相當肯定您在 IOU 設備上也面臨類似問題。