[rancid] RHEL7 RANCID 3.1 SSH KeyExchange

[heasley]

Tue, Oct 07, 2014 at 06:27:48PM +1100, Gavin Jones:
> Hi All,
> 
> There I have an issue for RHEL7 with SSH and older Cisco IOS's to login.
> 
> What happens is the KeyExchange stops the SSH Connection from retrieving
> the config from the switch.
> 
> [rancid at ranc01 ~]# ssh -v user at switch1
> 
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> Connection closed by switch1
> 
> 
> - The fix is to change the keyexchange algorithm for the host. (but this
> does not fix rancid)

it should not be any different via rancid; it does not ignore the .ssh/config.
the host matching in your ssh config may not be correct; eg: IP vs hostname.

> vim /etc/ssh/ssh_config  &&  ~/.ssh/config
> chmod -v 600  ~/.ssh/config
> 
> [root at ranc01 ~]#
> 
> Host 192.168.1.1
>       KexAlgorithms diffie-hellman-group14-sha1
> Host 192.168.1.1
>       KexAlgorithms diffie-hellman-group14-sha1

you can use Host * and include multiple algorithms.

> 
> Now I can ssh fine from the terminal, however in RANCID it still fails.
> 
>  I see you have cyphertype as a parameter for the .cloginrc but NO
>  KexAlgorithms option, you can have a read in the man ssh_config for more
> info.
> 
> 
> Had issues on both these IOS's:
> 
> sh ver
> Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9_NPE-M), Version
> 15.0(1)M3, RELEASE SOFTWARE (fc2)
> 
> 
> sh ver
> Cisco IOS Software, 2800 Software (C2800NM-IPBASEK9-M), Version 12.4(20)T6,
> RELEASE SOFTWARE (fc2)
> 
> Here is the version of SSH:
> 
> [root at ranc01 ~]# rpm -qa | grep -i openssh-clients
> openssh-clients-6.4p1-8.el7.x86_64
> 
> These are the errors I get in the RANCID log:
> 
> switch01: missed cmd(s): all commands
> switch01 clogin error: Error: Connection closed (ssh): switch01
> switch01: End of run not found
> 
> Anyone else had similar experiences?
> 
> Thanks