ytti / oxidized

Oxidized is a network device configuration backup tool. It's a RANCID replacement!
Apache License 2.0
2.81k stars 928 forks source link

Unsupported HMAC algorithms - could not settle on hmac_client algorithm #3067

Closed pacionet closed 3 months ago

pacionet commented 9 months ago

I recently installed a Cisco Switch with latest firmware It has the following SSH configuration

#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
**MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com**
KEX Algorithms:curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-787425290

Oxidized (0.28.1) failed with the following error

Feb 15 10:15:58 oxidized[3837221]: D, [2024-02-15T10:15:58.768660 #3837221] DEBUG -- : AUTH METHODS::["none", "publickey", "password"]
Feb 15 10:15:58  oxidized[3837221]: W, [2024-02-15T10:15:58.779837 #3837221]  WARN -- : X.X.X.X raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on hmac_client algorithm"
Feb 15 10:15:58 oxidized[3837221]: D, [2024-02-15T10:15:58.779904 #3837221] DEBUG -- : lib/oxidized/node.rb: Oxidized::SSH failed for 

I think that such HMAC algorithms are not supported. Any workaround?

Thanks

marmack95 commented 7 months ago

Did you try to do as explain in this article: https://github.com/ytti/oxidized/blob/master/docs/Configuration.md (SSH enabling legacy algorithms)