How to set SSH KexAlgorithm for Ansible 2.3.0.0

Hi,
I’m using Ansible version 2.3.0.0 and I’m trying to connect to an old Cisco IOS router. The issue is, that the Cisco IOS still uses diffie-hellman-group1-sha1
So in order for this to work I naturally made local config for that particular host in the .ssh/config file to add this key exchange algorithm to the offer, and ssh works without any issues.
Now when I use Ansible, it looks like it does not even read that file and I’ve get an error.

boyan@m-server:/etc/ansible$ sudo ansible ka-ce001 -m raw -a ‘show users’ -c ssh
ka-ce001 | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: Unable to negotiate with 10.1.3.6 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1\r\n”,
“unreachable”: true
}

I used the explicit option -c ssh hoping that it would use the specific ssh configurations, but it didn’t.

The question is, how can I make Ansible also using diffie-hellman-group1-sha1? I know it’s considered not secure, it’s an old box, which does not have the option to upgrade.

Regards,
Boyan

It sounds like 'sudo ansible' picks up different env vars than just
ssh-ing to the Cisco?
Out of interest, what is the reason you're doing 'sudo ansible'?

Dick

Hi Dick,
It was out of inexperience with the tool. This one is solved now, but I have other issues, for which I’ll open another thread.

Regards,
Boyan

вторник, 30 май 2017 г., 20:02:26 UTC+3, Dick Visser написа:

Hey Boyan, how did you solve this issue with Ansible?

thanks

Add the following to your ansible.cfg file:

# ./ansible.cfg
[defaults]
transport = ssh
[ssh_connection]
ssh_args = -F ./ssh_config

then add a ssh_config file with whatever you need in the same directory,
and ansible will pick it up.

IIRC you need transport to ensure that it uses "real" openssh to
connect.

A+
Dave