SSH issue to a Cisco 2960X on RHEL9 and Python 3.9

Hi all!

I just upgraded Python on a test agent server (RHEL9) to 3.9.18 and suddenly I’m getting the below error about encryption key mismatches between the agent and the switch (Cisco 2960X). The same exact playbook runs perfectly fine on RHEL7 using Python 3.9.10. I’m even using the same version of ansible-pylibssh on both boxes. HOWEVER, if I don’t install ansible-pylibssh in my venv at runtime, it falls back to paramiko and works just fine. While this could potentially be fine (aside from the numerous squawks it does about falling back), I’m concerned about what effect not having ansible-pylibssh might do to other playbooks and modules. It seems like it would just be a matter of changing with algos ansible-pylibssh will negotiate, but given the above it seems more like something with either RHEL9 or Python 3.9.18 (or 3.11.7) is doing.

REASON: ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]

Thoughts?

Thanks in advance!
JD

I ended up figuring this out. On our RHEL 9 deployment (and this could be standard, I have no idea), there’s a file at /etc/crypto-policies/back-ends/openssh.config. Had to add ,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 at the end of the KexAlgorithms line to accept the encryption settings the 2960Xs support. Working great now!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.