Ssh-rsa preconfiguration for host

Hello!
im new to AWX.
I have for testing everything in a GitHub Repo.
I have a pretty old Suse server which i just can SSH into if i use -oHostKeyAlgorithms=+ssh-rsa.
I want to import this host with this settings preconfigured, because its the only one.
The yml ChatGPT tried to sell me , doesnt get accepted by AWX:

---
ansible_host: 192.168.150.20
ansible_ssh_common_args: '-oHostKeyAlgorithms=+ssh-rsa'
host_list declined parsing /runner/project/nagios.yml as it did not pass its verify_file() method
script declined parsing /runner/project/nagios.yml as it did not pass its verify_file() method

Thank you in advance for your help!

My current yaml after some testing, but still wrong:

- hosts: localhost
  tasks:
    - name: Nagios_3
      add_host:
        name: "192.168.150.20"
        groups: main
        ansible_ssh_common_args: "-o HostKeyAlgorithms=ssh-rsa"

Chat GPT just regurgitates common patterns, so anything it says has to be fact-checked, making it less efficient than just reading the documentation.

The inventory format is determined by the inventory plugin you want to use.

The intro to inventory contains some examples of YAML inventory files as does the yaml inventory plugin.

For example:

group0:
  hosts:
    host0:
      ansible_host: 192.168.150.20
      ansible_ssh_common_args: '-oHostKeyAlgorithms=+ssh-rsa'
$ ansible-inventory -i inv.yml --list
{
    "_meta": {
        "hostvars": {
            "host0": {
                "ansible_host": "192.168.150.20",
                "ansible_ssh_common_args": "-oHostKeyAlgorithms=+ssh-rsa"
            }
        }
    },
    "all": {
        "children": [
            "ungrouped",
            "group0"
        ]
    },
    "group0": {
        "hosts": [
            "host0"
        ]
    }
}

Thank you!
I could just for addin inventory find examples for the ssh-rsa in yml in the guide.

I cant test tosday - i let my other tickets unattended too long for a while :laughing:

No worries. I have a hard time navigating the docs too, but if you google a query like inventory site:docs.ansible.com the intro to inventory will be one of the top results (the first for me).

There are other options to tackle your issue… depending on your needs / use case

Add custom SSH client config allowing the deprecated algo,

either in ~/.ssh/config (per host / match)

Host 192.168.150.20
   KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
   Ciphers +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
   HostKeyAlgorithms +ssh-rsa
   PubkeyAcceptedAlgorithms +ssh-rsa

For instance, in our environment, it’s likely there are many machines with old ssh server, so rather than specify per host

set globally in /etc/ssh/ssh_config.d/deprecated.conf:

KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Ciphers +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

The way you’ve chosen to do it is probably best… just sharing other available options…

Also if you are new to AWX, there will be a time (probably soon) where you’ll have to build your own execution environment to handle more specific cases / tasks

for this, you should look at ansible-builder to build a customized container (runner)
There are a million and one ways to configure it, it can be difficult to get started,
I’ve put together a template that can help get you started

https://github.com/j-oss2023/ansible-builder-template

Good luck !

Hello - i added the host with the ssh rsa options set, but it seems its not used:

how can i edit the sh config for awx - i dont think its using the settings at the local server, but in the Cubernetes container - i dont know how to get there.

Should it be something like ansible_ssh_common_args: '-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa'? If you run a ping test on the CLI with extra verbosity, you can see the ssh command being used to connect ansible -i inv -m ping all -vvv.

At least it got with the additional ""importet - i can try to remove it and test again.
I used ansible_ssh_common_args: '-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa' in the yaml and it got like this changed while the import.

The info was weird, because it was shwn in the json view - when i change to yaml exeryting looks okay.

@gothsome

If you can’t get that var working build your own custom execution environment,

you are right, it doesnt run SSH from the host, but from a specialized “execution environment” container … by default it uses quay.io/ansible/awx-ee:latest

But you can build your own custom environment, check out my repo i posted earlier …

Also read:

https://docs.ansible.com/automation-controller/latest/html/userguide/execution_environments.html

After you’ve built your ee with ansible-builder, you can push it to docker hub:

then in AWX, go to execution environments on the left menu

Then point it to your image that you hosted on docker hub ie.

Make sure the image is public so you don’t have to setup credentials for the registry …

If you make it private you’ll have to setup a Registry credential …

2 Likes

Thank you,
but i slowly think now all this work just for one single host is for me not the time worth to invest.
I thouht this would be easy with just the right aded code in the details of the host.
I wont open an issue too, because its an relly old host os from around 2007 and has to be expected that there would be some incopabilities.

Thank you for your infos and the ones you will give me in the future!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.