Kex error connecting to device using ssh-dss on v1.3.0, worked on v1.2.2 #784
Description
SUMMARY
After upgrading ansible-pylibssh from v1.2.2 to v.1.3.0, I am no longer able to connect to a legacy device running OpenSSH_5.0 that only supports host key algo ssh-dss. It worked fine on v1.2.2 and it also works with system SSH (OpenSSH_8.0p1).
Running ansible-playbook to connect to the device errors with the following message:
MSG: ['ssh connection failed: ssh connect failed: kex error : no match for method server host key algo: server [ssh-dss], client [ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521]']
ISSUE TYPE
- Bug Report
PYLIBSSH and LIBSSH VERSION
libssh-devel 0.9.6-14.el8
ansible-pylibssh 1.3.0
ansible.netcommon 8.2.0
ansible [core 2.19.4]
python version = 3.12.11 (main, Aug 15 2025, 13:38:57) [GCC 8.5.0 20210514 (Red Hat 8.5.0-28)]
jinja version = 3.1.6
pyyaml version = 6.0.3 (with libyaml v0.2.5)
OS / ENVIRONMENT
RHEL 8 -> Alcatel-Lucent Enterprise OmniSwitch device (AOS6)
STEPS TO REPRODUCE
Using ansible-pylibssh v1.3.0, run a playbook which conects to the remote device using host key algo ssh-dss.
- name: Run commands on ALE OmniSwitch AOS6
hosts: aos6
connection: ansible.netcommon.network_cli
gather_facts: false
tasks:
- name: "Run show system to gather info about the switch"
ansible.netcommon.cli_command:
command: show system
Vars in inventory file:
[aos6:vars]
ansible_connection=ansible.netcommon.network_cli
ansible_network_os=jefvantongerloo.alcatel.aos
ansible_network_cli_ssh_type=libssh
ansible_libssh_hostkeys=ssh-dss
INI entries in ansible.cfg:
[libssh_connection]
hostkeys = ssh-dss
EXPECTED RESULTS
Ansible using pylibssh v1.3.0 should connect to the device without errors, just as when using v.1.2.2 or using the native SSH client.
The best would be if pylibssh honored /etc/ssh/ssh_config which contains the following. This worked fine in v1.2.2:
Host *
HostKeyAlgorithms +ssh-dss
Pylibssh should also honor the variable ansible_libssh_hostkeys=ssh-dss set in the inventory file, or the INI entry in in ansible.cfg, but this doesn't seem to be the case.
[libssh_connection]
hostkeys = ssh-dss
ACTUAL RESULTS
After upgrading from pylibssh v1.2.2 to v1.3.0, it's no longer possible to connect to the device.
ansible-playbook [core 2.19.4]
config file = /home/user/ansible_playbooks/aos6/ansible.cfg
configured module search path = ['/export/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/.local/share/pipx/venvs/ansible/lib64/python3.12/site-packages/ansible
ansible collection location = /export/home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /export/home/user/.local/bin/ansible-playbook
python version = 3.12.11 (main, Aug 15 2025, 13:38:57) [GCC 8.5.0 20210514 (Red Hat 8.5.0-28)] (/home/user/.local/share/pipx/venvs/ansible/bin/python)
jinja version = 3.1.6
pyyaml version = 6.0.3 (with libyaml v0.2.5)
Using /home/user/ansible_playbooks/aos6/ansible.cfg as config file
setting up inventory plugins
Loading collection ansible.builtin from
host_list declined parsing /home/user/ansible_playbooks/aos6/hosts_aos6 as it did not pass its verify_file() method
script declined parsing /home/user/ansible_playbooks/aos6/hosts_aos6 as it did not pass its verify_file() method
auto declined parsing /home/user/ansible_playbooks/aos6/hosts_aos6 as it did not pass its verify_file() method
Parsed /home/user/ansible_playbooks/aos6/hosts_aos6 inventory source with ini plugin
redirecting (type: cache) ansible.builtin.yaml to community.general.yaml
Loading collection community.general from /home/user/.local/share/pipx/venvs/ansible/lib64/python3.12/site-packages/ansible_collections/community/general
Loading collection ansible.netcommon from /export/home/user/.ansible/collections/ansible_collections/ansible/netcommon
redirecting (type: callback) ansible.builtin.debug to ansible.posix.debug
Loading collection ansible.posix from /home/user/.local/share/pipx/venvs/ansible/lib64/python3.12/site-packages/ansible_collections/ansible/posix
Loading callback plugin ansible.posix.debug of type stdout, v2.0 from /home/user/.local/share/pipx/venvs/ansible/lib64/python3.12/site-packages/ansible_collections/ansible/posix/plugins/callback/debug.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: test.yml *********************************************************************************************************************
Positional arguments: test.yml
verbosity: 4
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/home/user/ansible_playbooks/aos6/hosts_aos6',)
forks: 5
1 plays in test.yml
Username: admin
Password:
PLAY [Run commands on ALE OmniSwitch AOS6] *********************************************************************************************
TASK [Run show system to gather info about the switch] *********************************************************************************
task path: /home/user/ansible_playbooks/aos6/test.yml:15
Loading collection ansible.utils from /home/user/.local/share/pipx/venvs/ansible/lib64/python3.12/site-packages/ansible_collections/ansible/utils
Loading collection jefvantongerloo.alcatel from /usr/share/ansible/collections/ansible_collections/jefvantongerloo/alcatel
<10.13.4.140> attempting to start connection
<10.13.4.140> using connection plugin ansible.netcommon.network_cli
<10.13.4.140> local domain socket does not exist, starting it
<10.13.4.140> control socket path is /home/user/.ansible/pc/423ee443f4
<10.13.4.140> Loading collection ansible.builtin from
<10.13.4.140> Loading collection ansible.netcommon from /export/home/user/.ansible/collections/ansible_collections/ansible/netcommon
<10.13.4.140> Loading collection ansible.utils from /home/user/.local/share/pipx/venvs/ansible/lib64/python3.12/site-packages/ansible_collections/ansible/utils
<10.13.4.140> Loading collection jefvantongerloo.alcatel from /usr/share/ansible/collections/ansible_collections/jefvantongerloo/alcatel
<10.13.4.140> local domain socket listeners started successfully
<10.13.4.140> loaded cliconf plugin ansible_collections.jefvantongerloo.alcatel.plugins.cliconf.aos from path /usr/share/ansible/collections/ansible_collections/jefvantongerloo/alcatel/plugins/cliconf/aos.py for network_os jefvantongerloo.alcatel.aos
<10.13.4.140> ssh type is set to libssh
<10.13.4.140> Loading collection ansible.builtin from
<10.13.4.140> local domain socket path is /home/user/.ansible/pc/423ee443f4
<10.13.4.140> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<10.13.4.140> ANSIBLE_NETWORK_IMPORT_MODULES: found ansible.netcommon.cli_command at /export/home/user/.ansible/collections/ansible_collections/ansible/netcommon/plugins/modules/cli_command.py
<10.13.4.140> ANSIBLE_NETWORK_IMPORT_MODULES: running ansible.netcommon.cli_command
<10.13.4.140> ANSIBLE_NETWORK_IMPORT_MODULES: _load_params skipped for action plugin in direct execution
<10.13.4.140> ANSIBLE_NETWORK_IMPORT_MODULES: complete
[ERROR]: Task failed: Action failed: ssh connection failed: ssh connect failed: kex error : no match for method server host key algo: server [ssh-dss], client [ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521]
Origin: /home/user/ansible_playbooks/aos6/test.yml:15:7
13
14 tasks:
15 - name: "Run show system to gather info about the switch"
^ column 7
fatal: [10.13.4.140]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"answer": null,
"check_all": false,
"command": "show system",
"newline": true,
"prompt": null,
"sendonly": false
}
}
}
MSG:
ssh connection failed: ssh connect failed: kex error : no match for method server host key algo: server [ssh-dss], client [ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521]