Openssh Issues in Ansible

Archives Ansible Project
1

can you please confirm what should we use for HP comware blade switches

I used comware module but still it gives me Openssh error

fatal: [BC1-ESM-A]: UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket "/home/devops/.ansible/cp/b9a07bf5d6" does not exist\r\ndebug2: resolving "172.16.200.28" port 22\r\ndebug2: ssh_connect_direct: needpriv 0\r\ndebug1: Connecting to 172.16.200.28 [172.16.200.28] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: identity file /home/devops/.ssh/id_rsa type 1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/devops/.ssh/id_rsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/devops/.ssh/id_dsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/devops/.ssh/id_dsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/devops/.ssh/id_ecdsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/devops/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /home/devops/.ssh/id_ed25519 type 4\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/devops/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.4\r\ndebug1: Remote protocol version 1.99, remote software version Comware-5.20.99\r\ndebug1: no match: Comware-5.20.99\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: Authenticating to 172.16.200.28:22 as ‘Netadmn9’\r\ndebug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"\r\ndebug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:22\r\ndebug3: load_hostkeys: loaded 1 keys from 172.16.200.28\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug3: send packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug3: receive packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: local client KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c\r\ndebug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss\r\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc\r\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc\r\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: compression ctos: none,zlib@openssh.com,zlib\r\ndebug2: compression stoc: none,zlib@openssh.com,zlib\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug2: peer server KEXINIT proposal\r\ndebug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: host key algorithms: ssh-dss,ssh-rsa,ecdsa-sha2-nistp256\r\ndebug2: ciphers ctos: aes128-cbc,3des-cbc,des-cbc\r\ndebug2: ciphers stoc: aes128-cbc,3des-cbc,des-cbc\r\ndebug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96\r\ndebug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96\r\ndebug2: compression ctos: none\r\ndebug2: compression stoc: none\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug1: kex: algorithm: diffie-hellman-group-exchange-sha1\r\ndebug1: kex: host key algorithm: ecdsa-sha2-nistp256\r\ndebug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none\r\ndebug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none\r\ndebug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20\r\ndebug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20\r\ndebug3: send packet: type 34\r\ndebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent\r\ndebug3: receive packet: type 31\r\ndebug1: got SSH2_MSG_KEX_DH_GEX_GROUP\r\ndebug2: bits set: 2081/4096\r\ndebug3: send packet: type 32\r\ndebug1: SSH2_MSG_KEX_DH_GEX_INIT sent\r\ndebug3: receive packet: type 33\r\ndebug1: got SSH2_MSG_KEX_DH_GEX_REPLY\r\ndebug1: Server host key: ecdsa-sha2-nistp256 SHA256:bgTGv+AXEyg+DG2e5o34PsVm46PYC3wO8uKaq+8sZ8c\r\ndebug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"\r\ndebug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:22\r\ndebug3: load_hostkeys: loaded 1 keys from 172.16.200.28\r\ndebug1: Host ‘172.16.200.28’ is known and matches the ECDSA host key.\r\ndebug1: Found key in /home/devops/.ssh/known_hosts:22\r\ndebug2: bits set: 2094/4096\r\ndebug3: send packet: type 21\r\ndebug2: set_newkeys: mode 1\r\ndebug1: rekey after 4294967296 blocks\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug3: receive packet: type 21\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug2: set_newkeys: mode 0\r\ndebug1: rekey after 4294967296 blocks\r\ndebug2: key: /home/devops/.ssh/id_rsa (0x55565ef8f8c0)\r\ndebug2: key: /home/devops/.ssh/id_dsa ((nil))\r\ndebug2: key: /home/devops/.ssh/id_ecdsa ((nil))\r\ndebug2: key: /home/devops/.ssh/id_ed25519 (0x55565ef912b0)\r\ndebug3: send packet: type 5\r\ndebug3: receive packet: type 6\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug3: send packet: type 50\r\ndebug3: receive packet: type 51\r\ndebug1: Authentications that can continue: password\r\ndebug3: start over, passed a different list password\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug1: No more authentication methods to try.\r\nPermission denied (password).”,

The inventory file look like this

[eci:vars]
switch_host=**************
switch_user=********
switch_password=*************
switch_key_file=/home/devops/.ssh/id_ed25519

Can you confirm how to fix the opennssh issues in ansible.

2

I’m not familiar with the Ansible Comware module. Yet, from your output:

debug2: key: /home/devops/.ssh/id_ed25519 (0x55565ef912b0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth

…it looks like it might be a SSH issue, not an issue with the module. SSH sees the key file you want use, but there is no “Will attempt key” or “Offering public key” debug messages to go with it. So, it defaults to wanting a password, which the Comware unit will not accept. (It only allows authentication via “gssapi-with-mic,gssapi-keyex,hostbased,publickey”.) I believe this means the key contained in that file was never tried.

Is your /home/devops/.ssh/id_ed25519 file protected by a passphrase? If so, you likely need to start a SSH agent and add that key to it, so the Ansible-executed SSH command has access to the key. (Either that, or remove the passphrase from the key file.)

Assuming you are using an OpenSSH client on a Unix or GNU/Linux system, you can see if an agent is running by executing “ssh-agent” on the command line. (Executing that on my Fedora Linux machine outputs some shell variables and the ssh-agent PID.) If you don’t have an agent running, you can start one in the shell by executing “ssh-agent $(which bash)”.

Then add a key to it via “ssh-add /home/devops/.ssh/id_ed25519” (and enter the passphrase when prompted). You can see which keys are in your agent by executing “ssh-add -l”.

3

Sounds like either your OpenSSH config file is not correct, by default has a static location. Also, could be permissions on .ssh folder/file not set correctly. I would suggest validating the installation. Generally maybe just validating the keys and config file for correct path/location. These are the common things I have dealt with when using OpenSSH and getting permission issues.

4

Hello ,

Thanks for looking into this issue.

Basically i am doing SSH on a Network switch and my ssh key is not having paraphase.

ssh-add /home/devops/.ssh/id_ed25519 will it add key on switch as it fails when i try to add the key on the switch.\

I am sure its an issue with SSH but unable to figure out why its giving me this error as checked the ssh key permissions and did everything .

Can you suggest if you have any idea of network blade switches modules of HP and IBM BNT switches?

5

Thanks for looking into this issue.

You are welcome, but I am sorry it has taken me so long to reply.

Basically i am doing SSH on a Network switch and my ssh key is not having paraphase.

ssh-add /home/devops/.ssh/id_ed25519 will it add key on switch as it fails when i try to add the key on the switch.\

Are you able to use that key to SSH into the switch outside of Ansible? (If you wrote that, previously, I apologize. I must have missed it.)

If you cannot even get that SSH key to work outside of Ansible, then perhaps the HPE blade’s Comware Operating System cannot handle a ED25519 SSH key. I’ve actually seen that, before. (Though not specifically with Comware. I’ve never dealt with an HPE Comware switch.)

If your ED25519 SSH key won’t work, create and try a RSA SSH key.

Can you suggest if you have any idea of network blade switches modules of HP and IBM BNT switches?

I am sorry, I cannot. I am new to Ansible and have never dealt with either of those switches. I wish you luck, though.