ssh custom parameters - Githubissues

ytti / oxidized

Oxidized is a network device configuration backup tool. It's a RANCID replacement!

Apache License 2.0

2.82k stars 931 forks source link

ssh custom parameters #3265

Open Rico29 opened 2 months ago

Rico29 commented 2 months ago

Hello, I need to pass a custom parameter to ssh for connecting to old equipments, like

-o 'PubkeyAcceptedKeyTypes +ssh-rsa'

I'm quite new to oxidized and could not find the way to do that in rancid I used to do in .cloginrc

add sshcmd * {ssh\ -oPubkeyAcceptedKeyTypes=+ssh-rsa} Is there a way to do something equivalent with oxidized ? Regards

BenOoi commented 2 months ago

I have the exact same question. I am trying to connect to a Cisco C1000 running legacy IOS and this is needed. When I connect from inside the docker container I can connect with:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=ssh-rsa -o PubkeyAcceptedKeyTypes=ssh-rsa -i /home/oxidized/.ssh/id_rsa user@switch

I cannot find a way to add this to the config file.

skiera6 commented 2 months ago

I'm not directly associated with Oxidized, but based on my understanding:

From what I see in the Oxidized code Oxidized does not support custom ssh_options directly.

However, you can configure your "~/.ssh/config" to include settings like these:

Host switch
    HostName switch
    User user
    IdentityFile /home/oxidized/.ssh/id_rsa
    KexAlgorithms diffie-hellman-group14-sha1
    HostKeyAlgorithms ssh-rsa
    PubkeyAcceptedKeyTypes ssh-rsa

If you are running Oxidized inside a container, make sure the container has access to the SSH configuration and key files. This involves mounting the relevant SSH files into the container and ensuring proper permissions are set. After setting this up, it should work.

edit: Those options seem to be supported but i'm not sure about 'PubkeyAcceptedKeyTypes +ssh-rsa' use ssh_kex you can find some info here

ssh_keys: 
ssh_kex: 
ssh_encryption:
ssh_host_key: 
ssh_hmac:

Feel free to correct me

systeembeheerder commented 2 months ago

snippet from my config file:

models:
  vrp:
    vars:
      ssh_kex: "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1"
      ssh_keys: "~/.ssh/id_ecdsa"
#  procurve:
#    vars:
#      ssh_kex: "diffie-hellman-group14-sha1"
  fortios:
    vars:
      remove_secret: true
  aosw:
    vars:
      remove_secret: true
  ciscosmb:
    vars:
      ssh_kex: "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1"
input:
  default: ssh
  debug: false
  ssh:
    secure: false

Rico29 commented 2 months ago

nice ! thanks ! is theree any doc about that ?

systeembeheerder commented 2 months ago

@skiera6 already pointed to the documentation for the ssh options. I just use groups to apply them to all devices of the same model. The exact key names can be found in the ssh_config man pages