UNCLASSIFIED - NO CUI

Skip to content

Bug: Fips causes KexAlgorithm issues with ansible ssh connection

Enabling FIPS in the ISO image causes Ansible to fail to connect to the babu host via SSH with the following error:

    debug3: will use strict KEX ordering
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: zlib@openssh.com
    debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: zlib@openssh.com
    debug1: kex: curve25519-sha256 need=32 dh_need=32
    debug1: kex: curve25519-sha256 need=32 dh_need=32
    debug3: send packet: type 30
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    Connection closed by 10.0.2.15 port 2222

Ansible is attempting to use kex algorithm curve25519-sha256 and this is not supported in FIPS enabled babu host. Force ansible ssh connection to babu host to use ecdsa-sha2-nistp256.

UNCLASSIFIED - NO CUI