I just encountered the same issue as described in this thread while trying to connect to an older Cisco network switch (via community.ciscosmb + ansible_connection: network_cli + ansible_network_cli_ssh_type: libssh). The old switch does not support key exchange algorithms other than the legacy options: ssh-rsa,ssh-dss
Trying to pass the ssh options to enable the old Kex & PubKey algorithms (-o PubkeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa) via --ssh-extra-args, ansible_ssh_extra_args in host_vars, or -e ansible_ssh_extra_args=, and the ANSIBLE_SSH_EXTRA_ARGS environment variable all failed.
I switched connection plugin back to paramiko, and it works again!
It turns out that the docs for ansible.netcommon state that it’s to be deprecated in the future:
Parameter Comments ssh_extra_args
string
added in ansible.netcommon 3.2.0Extra arguments exclusive to the ‘ ssh’ CLI tool.
ProxyCommand is the only supported argument.
This option is deprecated in favor ofproxy_commandand will be removed in a release after 2026-01-01.
Configuration:
• INI entry:[ssh_connection]ssh_extra_args = VALUE
• Environment variable:ANSIBLE_SSH_EXTRA_ARGS
• CLI argument:--ssh-extra-args
• Variable:ansible_ssh_extra_args
So, it seems that this option for ansible.netcommon.libssh connection type plugin is to be deprecated. Meanwhile, it’s often necessary to pass these args in order to connect over SSH to older Network devices that do not support the latest SSH Kex/PubKey/HostKey/MACs algorithm name strings.
I hope for the sake of being able to use Ansible to manage older network switches & devices that some replacement is kept in mind for the future of libssh plugin (if paramiko goes away).