home-assistant[bot]
commented
3 months ago Open quackelduck opened 3 months ago
home-assistant[bot]
commented
3 months ago 
quackelduck
commented
3 months ago Just contacted an Aruba expert and apparently ssh-rsa has been deprecated as it is deemed insecure (he couldn't tell me when exactly, though).
Therefore, the issue could only be fixed on the Aruba side by downgrading the Aruba IAPs which should not be a solution.
cpocarlos
commented
2 months ago Same error for me, using the same Aruba Instant version and running HA7.2
chriswalken
commented
2 months ago Just removing the -o option altogether also works. This is what I've been doing for months now but it's getting annoying since I have to do it every time Home Assistant updates.
I hit this after upgrading to AOS 8.12 so I expect that any version of HA will hit this when talking to APs on AOS 8.12 or later.
Thanks for raising this bug.
# diff device_tracker.py.BEFORE device_tracker.py.AFTER
92c92
< connect = f"ssh {self.username}@{self.host} -o HostKeyAlgorithms=ssh-rsa"
---
> connect = f"ssh {self.username}@{self.host}"Just removing the -o option altogether also works. This is what I've been doing for months now but it's getting annoying since I have to do it every time Home Assistant updates.
I hit this after upgrading to AOS 8.12 so I expect that any version of HA will hit this when talking to APs on AOS 8.12 or later.
Thanks for raising this bug.
# diff device_tracker.py.BEFORE device_tracker.py.AFTER 92c92 < connect = f"ssh {self.username}@{self.host} -o HostKeyAlgorithms=ssh-rsa" --- > connect = f"ssh {self.username}@{self.host}"
I am trying to make the "ssh admin@192.168.1.4" but Homeassinstant reply with:
Unable to negotiate with 192.168.1.4 port 22: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Can you help me where is the device_tracker.py file located to update it?
Thanks
chriswalken
commented
2 months ago Just removing the -o option altogether also works. This is what I've been doing for months now but it's getting annoying since I have to do it every time Home Assistant updates. I hit this after upgrading to AOS 8.12 so I expect that any version of HA will hit this when talking to APs on AOS 8.12 or later. Thanks for raising this bug.
# diff device_tracker.py.BEFORE device_tracker.py.AFTER 92c92 < connect = f"ssh {self.username}@{self.host} -o HostKeyAlgorithms=ssh-rsa" --- > connect = f"ssh {self.username}@{self.host}"I am trying to make the "ssh admin@192.168.1.4" but Homeassinstant reply with:
Unable to negotiate with 192.168.1.4 port 22: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521Can you help me where is the device_tracker.py file located to update it?
Thanks
Just to confirm, is 192.168.1.4 the IP address of your Aruba AP or the device running Home Assistant?
With respect to the file location, I run Home Assistant in a docker and the file is located at:
/usr/src/homeassistant/homeassistant/components/aruba/device_tracker.py
cpocarlos
commented
2 months ago Just removing the -o option altogether also works. This is what I've been doing for months now but it's getting annoying since I have to do it every time Home Assistant updates. I hit this after upgrading to AOS 8.12 so I expect that any version of HA will hit this when talking to APs on AOS 8.12 or later. Thanks for raising this bug.
# diff device_tracker.py.BEFORE device_tracker.py.AFTER 92c92 < connect = f"ssh {self.username}@{self.host} -o HostKeyAlgorithms=ssh-rsa" --- > connect = f"ssh {self.username}@{self.host}"I am trying to make the "ssh admin@192.168.1.4" but Homeassinstant reply with:
Unable to negotiate with 192.168.1.4 port 22: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521Can you help me where is the device_tracker.py file located to update it? ThanksJust to confirm, is 192.168.1.4 the IP address of your Aruba AP or the device running Home Assistant?
With respect to the file location, I run Home Assistant in a docker and the file is located at:
/usr/src/homeassistant/homeassistant/components/aruba/device_tracker.py
The ip 192.168.1.4 is the ip of Aruba Virtual-controller.
I am running HAOS and tried to find the device_tracker file but no luck...
Also I have downgrade my Aruba cluster to AOS8.10.0.10 again and I still continue with the problem.
chriswalken
commented
2 months ago Just removing the -o option altogether also works. This is what I've been doing for months now but it's getting annoying since I have to do it every time Home Assistant updates. I hit this after upgrading to AOS 8.12 so I expect that any version of HA will hit this when talking to APs on AOS 8.12 or later. Thanks for raising this bug.
# diff device_tracker.py.BEFORE device_tracker.py.AFTER 92c92 < connect = f"ssh {self.username}@{self.host} -o HostKeyAlgorithms=ssh-rsa" --- > connect = f"ssh {self.username}@{self.host}"I am trying to make the "ssh admin@192.168.1.4" but Homeassinstant reply with:
Unable to negotiate with 192.168.1.4 port 22: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521Can you help me where is the device_tracker.py file located to update it? ThanksJust to confirm, is 192.168.1.4 the IP address of your Aruba AP or the device running Home Assistant? With respect to the file location, I run Home Assistant in a docker and the file is located at:
/usr/src/homeassistant/homeassistant/components/aruba/device_tracker.pyThe ip 192.168.1.4 is the ip of Aruba Virtual-controller.
I am running HAOS and tried to find the device_tracker file but no luck...
Also I have downgrade my Aruba cluster to AOS8.10.0.10 again and I still continue with the problem.
I'm not familiar with HAOS but it seems its default ssh config doesn't support any of the KexAlgorithms supported by the AP, at least on that version of AOS. You can try using the -o option or ssh config to tell ssh to use an additional KexAlgorithms, or adjust the ssh config, but I'm not sure if this will survive an HAOS upgrade.
Do you hit exact same error on 8.11 or 8.12?
See:
The problem
I updated my Aruba 305 IAP to major version 8.12. They worked well before regarding the presence detection but I had some minor issues with some other wifi devices so decided to update.
As I found out after research, in Version 8.12 (or maybe even on earlier versions), Aruba has removed the ability to use ssh-rsa as HostKeyAlgorithms as this as deemed insecure and thus Aruba eliminated the ability to connect via ssh-rsa. This means that HA can't connect to Aruba Instant devices any more and returns an unexpected response.
When trying to connect via Terminal/SSH manually:
"ssh {user}@192.168.0.xxx, -o HostKeyAlgotiythms=ssh-rsa" the response is "Unable to negotiate with 192.168.0.xxx port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519"
-> When I simply change the HostKeyAlgorithm in the above query to rsa-sha2-512 it returns the fingerprint, asks for password and I can request the client list.
Firmware of Aruba IAPs is "8.12.0.1_89864 SSR (Digitally Signed - Production Build)"
What version of Home Assistant Core has the issue?
core-2024.6.4, also core-2024.7.0
What was the last working version of Home Assistant Core?
This is not a HA problem but rather HA is using an outdated encryption.
What type of installation are you running?
Home Assistant OS
Integration causing the issue
Aruba
Link to integration documentation on our website
https://www.home-assistant.io/integrations/aruba/
Diagnostics information
Line 92 in the device_tracker.py is not working for me any more due to the update by Aruba. The HostKeyAlgorithms=ssha-rsa is not supported any more and this code should be changed to HostKeyAlgorithms=rsa-sha2-512 and then tested.
Example YAML snippet
No response
Anything in the logs that might be useful for us?
No response
Additional information
No response