Hi Team
I am receiving below error while connecting to a server via an isolated node
<172.20.1.111> (255, b’', b’OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug2: checking match for 'final all' host 172.20.1.111 originally 172.20.1.111\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'\r\ndebug2: match not found\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-gr…
fatal: [cyclonetest]: UNREACHABLE! => {
“changed”: false,
“msg”: "Failed to connect to the host via ssh: OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug2: checking match for ‘final all’ host 172.20.1.111 originally 172.20.1.111\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched ‘final’\r\ndebug2: match not found\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve25519-sha25…
My initial question would be what crypto algorithm is the key you’re attempting to connect with? As you show that FIPS is enabled and I’m assuming this is on a RHEL server the crypto policy is restrictive and some keys simply won’t be able to connect. I know this was the case with my key that is ssh-ed25519 and I had to use an ssh-rsa key instead in the past.
Oh okay… So your AWX task needs to go through a jump box using the ProxyCommand to reach the host then? In that case it does make sense that adding the additional '-o StrictHostKeyChecking=nobefore the ProxyCommand option would work. The-o StrictHostKeyChecking=noincluded in the ProxyCommand is specific to the ProxyCommand call the is being executed. The-o StrictHostKeyChecking=no` outside the ProxyCommand is going to be when checking the final host key when jumping through the jump box. I can’t recall if the option would be passed to the ProxyCommand as well and only need to be added the initial time or not and still work.
Unless you’re explicitly setting the host keys or using Vault host key signing the SSH host key checking is more of just an alert when the host key seen has changed. When connecting to machines that are ephemeral in nature like the cloud there is a good chance that host keys will change especially if a new instance is brought up to replace and older instance. The risk involved would be one that would need to be assessed for your particular environment