I’ve been using ansible to configure a catalyst 1000 switch for the last few months. Tday I’ve attempted to --check --diff the switch config, only for ansible to return an error about the kex algorithms. This was an issue to begin with and I added the required config to my .ssh/config. I can still manually connect to the switch using ssh <switch IP>: it uses the config and connects fine… so I’m confused why this is no-longer working via Ansible. Can anyone give my any pointers?
Output error section:
The full traceback is:
File "/home/username/repos/ansible/venv/lib/python3.13/site-packages/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/network.py", line 218, in get_capabilities
capabilities = Connection(module._socket_path).get_capabilities()
File "/home/username/repos/ansible/venv/lib/python3.13/site-packages/ansible/module_utils/connection.py", line 183, in __rpc__
raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [catalyst1000]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"available_network_resources": false,
"gather_network_resources": null,
"gather_subset": [
"min"
]
}
},
"msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]"
}
PLAY RECAP ***********************************************************************************************************************************************************************************
catalyst1000 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Yes, I’ve read the error about algorithm mismatch. I have the config in my .ssh/config file that specifies the (poor) algorithms that the switch will accept. I’ve been using this config to connect directly/manually and via Ansible for months. However, it isn’t working any longer.
I can’t see anything in the verbose output that states that the .ssh/config file is being sourced, though I’m not sure if I should.
I’m not sure how to debug this, so any pointers would be appreciated.
You seem to be connecting to some network device, so you should first find out which connection plugin you are using to do that. ansible.netcommon is mentioned in the stacktrace, so it’s likely not ansible-core’s builtin SSH connection plugin.
Also you likely updated something between the last day that connecting worked, and when it no longer worked. My guess is that you updated ansible-core and/or some of the involved collections, like ansible.netcommon and probably a network device specific collection. Looking at the changelogs / porting guides could help as well.
Note that ansible itself will not source .ssh/config, the ssh plugin uses the ssh command line and that tool does it’s own sourcing of configuration, the same happens with paramiko(deprecated) and libssh based netcommon plugins, they rely on their dependencies to handle the ssh configuration sourcing.
This was a total error on my part. The hostname in my inventory.yaml and my .ssh/config no longer matched. I’ve aligned them, and now it works as expected.
