Modifying ssh config of EE

[xibriz]

I'm haveing problems connecting to an old switch when running a playbook in my EE.

Traceback (most recent call last):
  File "/runner/.ansible/tmp/ansible-local-16jecfx_xr/ansible-tmp-1707141236.0562057-118-267293888937116/AnsiballZ_pyats_parse_command.py", line 107, in <module>
    _ansiballz_main()
  File "/runner/.ansible/tmp/ansible-local-16jecfx_xr/ansible-tmp-1707141236.0562057-118-267293888937116/AnsiballZ_pyats_parse_command.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/runner/.ansible/tmp/ansible-local-16jecfx_xr/ansible-tmp-1707141236.0562057-118-267293888937116/AnsiballZ_pyats_parse_command.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible.modules.pyats_parse_command', init_globals=dict(_module_fqn='ansible.modules.pyats_parse_command', _modlib_path=modlib_path),
  File "/usr/lib64/python3.9/runpy.py", line 225, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_pyats_parse_command_payload_8_ynl9za/ansible_pyats_parse_command_payload.zip/ansible/modules/pyats_parse_command.py", line 126, in <module>
  File "/tmp/ansible_pyats_parse_command_payload_8_ynl9za/ansible_pyats_parse_command_payload.zip/ansible/modules/pyats_parse_command.py", line 66, in main
  File "/tmp/ansible_pyats_parse_command_payload_8_ynl9za/ansible_pyats_parse_command_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
ansible.module_utils.connection.ConnectionError: ssh connection failed: ssh connect failed: kex error : no match for method kex algos:
server [
  diffie-hellman-group-exchange-sha1
  diffie-hellman-group14-sha1
  diffie-hellman-group1-sha1
], 
client [
  curve25519-sha256
  curve25519-sha256@libssh.org
  ecdh-sha2-nistp256
  ecdh-sha2-nistp384
  ecdh-sha2-nistp521
  diffie-hellman-group-exchange-sha256
  diffie-hellman-group14-sha256
  diffie-hellman-group16-sha512
  diffie-hellman-group18-sha512
  ]

So the problem is quite clear, I need to add one of the KexAlgorithms to my EE. But how do I do that?

I have tried the following with no success:

---
version: 3
images:
  base_image:
    name: quay.io/centos/centos:stream9
dependencies:
  ansible_core:
    # Require minimum of 2.15 to get ansible-inventory --limit option
    package_pip: ansible-core>=2.15.0rc2,<2.16
  ansible_runner:
    package_pip: ansible-runner
  galaxy: |
    ---
    collections:
      ...
  system: |
    ...
  python: |
    ...
additional_build_steps:
  append_base:
    - RUN $PYCMD -m pip install -U pip
  append_final:
    - COPY --from=quay.io/ansible/receptor:devel /usr/bin/receptor /usr/bin/receptor
    - RUN mkdir -p /var/run/receptor
    - RUN git lfs install --system
    - RUN echo "    KexAlgorithms +diffie-hellman-group1-sha1" >> /etc/ssh/ssh_config
    - RUN echo "    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc" >> /etc/ssh/ssh_config
    - RUN echo "    StrictHostKeyChecking no" >> /etc/ssh/ssh_config

[xibriz]

After some more digging I found that the best solution was to add a new file in the ssh_config.d folder:

    - RUN echo "Host *" >> /etc/ssh/ssh_config.d/custom.conf
    - RUN echo "    KexAlgorithms +diffie-hellman-group1-sha1" >> /etc/ssh/ssh_config.d/custom.conf
    - RUN echo "    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc" >> /etc/ssh/ssh_config.d/custom.conf
    - RUN echo "    StrictHostKeyChecking no" >> /etc/ssh/ssh_config.d/custom.conf

This works, but for my spesific needs it was better to just add the following step - RUN update-crypto-policies --set LEGACY based on this information: https://serverfault.com/a/1125849