Manual SSH connection works, via Ansible fails (used to work)

I’ve been using ansible to configure a catalyst 1000 switch for the last few months. Tday I’ve attempted to --check --diff the switch config, only for ansible to return an error about the kex algorithms. This was an issue to begin with and I added the required config to my .ssh/config. I can still manually connect to the switch using ssh <switch IP>: it uses the config and connects fine… so I’m confused why this is no-longer working via Ansible. Can anyone give my any pointers?

Output error section:

The full traceback is:
  File "/home/username/repos/ansible/venv/lib/python3.13/site-packages/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/network.py", line 218, in get_capabilities
    capabilities = Connection(module._socket_path).get_capabilities()
  File "/home/username/repos/ansible/venv/lib/python3.13/site-packages/ansible/module_utils/connection.py", line 183, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [catalyst1000]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "available_network_resources": false,
            "gather_network_resources": null,
            "gather_subset": [
                "min"
            ]
        }
    },
    "msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]"
}

PLAY RECAP ***********************************************************************************************************************************************************************************
catalyst1000               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

If you read the error, this is about the ssh configuration

 kex error : no match for method kex algos: 

it cannot match the configured key algorithms on the server server (target machine)

server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], 

and the client (ansible machine), which is using a much stronger list

client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]

To see exactly how ansible executes ssh and sets the config, use -vvv, but just adding the configuration for those targets to include the weaker keys should be enough (assuming you cannot change the configuration on the ssh server). ansible.builtin.ssh connection – connect via SSH client binary — Ansible Community Documentation

1 Like

Yes, I’ve read the error about algorithm mismatch. I have the config in my .ssh/config file that specifies the (poor) algorithms that the switch will accept. I’ve been using this config to connect directly/manually and via Ansible for months. However, it isn’t working any longer.

I can’t see anything in the verbose output that states that the .ssh/config file is being sourced, though I’m not sure if I should.

I’m not sure how to debug this, so any pointers would be appreciated.

You seem to be connecting to some network device, so you should first find out which connection plugin you are using to do that. ansible.netcommon is mentioned in the stacktrace, so it’s likely not ansible-core’s builtin SSH connection plugin.

Also you likely updated something between the last day that connecting worked, and when it no longer worked. My guess is that you updated ansible-core and/or some of the involved collections, like ansible.netcommon and probably a network device specific collection. Looking at the changelogs / porting guides could help as well.

Great, thanks. I’ll go educate myself, and come back if I’m scratching my head :wink:

Note that ansible itself will not source .ssh/config, the ssh plugin uses the ssh command line and that tool does it’s own sourcing of configuration, the same happens with paramiko(deprecated) and libssh based netcommon plugins, they rely on their dependencies to handle the ssh configuration sourcing.

This was a total error on my part. The hostname in my inventory.yaml and my .ssh/config no longer matched. I’ve aligned them, and now it works as expected.

Thanks for the help all.