无法使用 Ansible 连接到设备:
使用此命令:
ansible -m shell -a 'show version' servers
在我尝试从日志缓冲区连接的设备上,我收到此错误:
SSH server login is insecure. (ServiceType=stelnet, UserName=edvkrs, IPAddress=10.30.253.254, VPNInstanceName=public, Reason=Negotiated key exchange algorithm is not safe.)
您能推荐 Ansibles SSH 配置中的任何选项或修改吗?
谢谢
谢谢,在 ssh -vv 之后我得到了这个输出:
osboxes@osboxes:~$ ssh -vv <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1c79786a776e6f5c2d2c32282a322d322d" rel="noreferrer noopener nofollow">[email protected]</a>
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "10.46.1.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.46.1.1 [10.46.1.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/osboxes/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version -
debug1: no match: -
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.46.1.1:22 as 'edvkrs'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a3c0d6d1d5c6919696929a8ed0cbc2919695e3cfcac1d0d0cb8dccd1c4" rel="noreferrer noopener nofollow">[email protected]</a>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f39690978092de809b92c1de9d9a808783c1c6c5de90968187de85c3c2b39c83969d80809bdd909c9e" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="92f7f1f6e1f3bfe1faf3a0bffcfbe1e6e2a1aaa6bff1f7e0e6bfe4a2a3d2fde2f7fce1e1fabcf1fdff" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3154525542501c425950031c5f584245410403001c525443451c470100715e41545f4242591f525e5c" rel="noreferrer noopener nofollow">[email protected]</a>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1261617a3f7776202727232b3f717760663f642223527d62777c61617a3c717d7f" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="611212094c1312004c020413154c175150210e11040f1212094f020e0c" rel="noreferrer noopener nofollow">[email protected]</a>,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2043484143484112100d504f4c5911131015604f50454e5353480e434f4d" rel="noreferrer noopener nofollow">[email protected]</a>,aes128-ctr,aes192-ctr,aes256-ctr,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a5c4c0d694979d88c2c6c8e5cad5c0cbd6d6cd8bc6cac8" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="761713054443405b11151b361906131805051e5815191b" rel="noreferrer noopener nofollow">[email protected]</a>,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="187b70797b70792a283568777461292b282d5877687d766b6b70367b7775" rel="noreferrer noopener nofollow">[email protected]</a>,aes128-ctr,aes192-ctr,aes256-ctr,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1e7f7b6d2f2c2633797d735e716e7b706d6d76307d7173" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a3c2c6d09196958ec4c0cee3ccd3c6cdd0d0cb8dc0ccce" rel="noreferrer noopener nofollow">[email protected]</a>,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2c59414d4f011a18014958416c435c49425f5f44024f4341" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8bfee6eae8a6bab9b3a6eeffe6cbe4fbeee5f8f8e3a5e8e4e6" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="147c79757739677c75263926212239716079547b64717a67677c3a777b79" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="eb83868a88c698838ad9c6dedad9c68e9f86ab849b8e85989883c5888486" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e1898c8082cc928980d0cc84958ca18e91848f929289cf828e8c" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9aeff7fbf9b7acaedaf5eafff4e9e9f2b4f9f5f7" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="186d75797b35292a205877687d766b6b70367b7775" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6a1f070b09475c5e470f1e072a051a0f0419190244090507" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="790c14181a54484b41541c0d143916091c170a0a11571a1614" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cea6a3afade3bda6affce3fcfbf8e3abbaa38ea1beaba0bdbda6e0ada1a3" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d0b8bdb1b3fda3b8b1e2fde5e1e2fdb5a4bd90bfa0b5bea3a3b8feb3bfbd" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="157d78747638667d742438706178557a65707b66667d3b767a78" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9eebf3fffdb3a8aadef1eefbf0ededf6b0fdf1f3" rel="noreferrer noopener nofollow">[email protected]</a>,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c3b6aea2a0eef2f1fb83acb3a6adb0b0abeda0acae" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3a405653587a554a5f5449495214595557" rel="noreferrer noopener nofollow">[email protected]</a>,zlib
debug2: compression stoc: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="87fdebeee5c7e8f7e2e9f4f4efa9e4e8ea" rel="noreferrer noopener nofollow">[email protected]</a>,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,sm2kep-sha2-nistp256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-dss,ssh-rsa,ecdsa-sha2-nistp521
debug2: ciphers ctos: AEAD_AES_256_GCM,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dbbabea8e9eeedf6bcb8b69bb4abbeb5a8a8b3f5b8b4b6" rel="noreferrer noopener nofollow">[email protected]</a>,AEAD_AES_128_GCM,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="58393d2b696a60753f3b351837283d362b2b30763b3735" rel="noreferrer noopener nofollow">[email protected]</a>,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc
debug2: ciphers stoc: AEAD_AES_256_GCM,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a7c6c2d49592918ac0c4cae7c8d7c2c9d4d4cf89c4c8ca" rel="noreferrer noopener nofollow">[email protected]</a>,AEAD_AES_128_GCM,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1e7f7b6d2f2c2633797d735e716e7b706d6d76307d7173" rel="noreferrer noopener nofollow">[email protected]</a>,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-256-96,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-256-96,hmac-sha1-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:aAiYHe0TRpg6AMTDwUYNAw4ZzgCvuOlPy8JGa8chqH0
debug1: Host '10.46.1.1' is known and matches the ECDSA host key.
debug1: Found key in /home/osboxes/.ssh/known_hosts:4
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/osboxes/.ssh/id_rsa ((nil))
debug2: key: /home/osboxes/.ssh/id_dsa ((nil))
debug2: key: /home/osboxes/.ssh/id_ecdsa ((nil))
debug2: key: /home/osboxes/.ssh/id_ed25519 ((nil))
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
**********************************************************************
* Jus esate prisijunge prie privacios irangos. Visi veiksmai,vykdomi *
**********************************************************************
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/osboxes/.ssh/id_rsa
debug1: Trying private key: /home/osboxes/.ssh/id_dsa
debug1: Trying private key: /home/osboxes/.ssh/id_ecdsa
debug1: Trying private key: /home/osboxes/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
User Authentication
debug2: input_userauth_info_req: num_prompts 1
Enter password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.46.1.1 ([10.46.1.1]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: pledge: network
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 131072 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
也许由此可以告诉我如何编辑 ansible.cfg ?
最佳答案
设置 ansible_ssh_common_args 并为 SSH 服务器指定有效的 key 算法和密码。
例如,在库存文件中
[servers]
10.0.0.1 ansible_ssh_common_args="-o HostKeyAlgorithms=ssh-rsa -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha2-512"
您可以先检查ssh -vv到您设备的输出,以获得支持的算法。
您还可以检查您尝试连接的设备是否有模块 ( https://docs.ansible.com/ansible/list_of_network_modules.html )。
关于ssh - ansible ssh连接错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43871266/