I am having issues getting Ansible to connect with my Cisco switches. I can SSH to the routers from my control node and it works fine. I can use the RAW module to send commands to the switches and it works fine. When I try to use the ios_command module, however, I get authentication errors. I have tried using paramiko and pylibssh. With paramiko I get general authentication errors. With pylibssh, I get key exchange errors or errors about the public key depending on the device. I have looked up several different options to allow the older key exchange algorithms and it works for SSH but not for Ansible connections. Any help would be greatly appreciated!
To add more information, I am running Ansible 2.20.0.
My ansible.cfg file contains the following information:
[defaults]
gathering=explicit
inventory = hosts
retry_files_enabled = False
host_key_checking = False
interpreter_python = /usr/bin/python3.12
[paramiko_connection]
look_for_keys = False
Okay, this is officially driving me nuts. It is working now. I an not sure what I changed between last night and today, but today it is working.
So with a little bit of testing, I think the issue was
[paramiko_connection]
look_for_keys = False
I think I must have had something wrong with it when I was working with it yesterday. I put it back in this morning and it works. I comment it out and it doesn’t. I’m guessing there was a type in it yesterday.
3 Likes
Thanks for replying with the fix for the issue and not leaving us all hanging 
Hope your journey is smoother from this point. The other thing you could look at is this, ios_command uses the network_cli connection, which requires SSH key‑exchange algorithms supported by the device.
Your switches likely only support legacy KEX/hostkey algorithms that Python 3.12 + modern Paramiko no longer allows. Since raw works, but ios_command fails, try forcing ansible_connection=network_cli, setting ansible_ssh_common_args='-oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa', or using ansible_legacy_ssh=true.
You may also need to downgrade Paramiko or use the ansible.netcommon.network_cli connection plugin.
@David_Dalton Welcome the Ansible Forum. I’m glad you got it sorted and took the time to reply to your own post, which can help other’s
If you have issues, we have a dedicated page on Network Debug and Troubleshooting Guide, though please do start another Forum Thread.
I marked your look_for_keys = False as the solution for this question, this makes it easier for others to see what the fix is.
1 Like
Thanks for your feedback. Everything you suggested was what I needed to do to get it working. The missing piece was the ‘look_for_keys’ setting that apparently I typed incorrectly the first day. The ‘ansible_legacy_ssh=true’ statement was one I had not come across before so I will have to file that away for future reference.
I have worked in the IT field for almost 30 years, but this is my first time working with Ansible. So far I am absolutely loving it!
1 Like