These days as was fighting with configuration of multiple AOS6 and AOS8 switches using Ansible and I discovered that for old versions of AOS6, this doesn’t work because of the encryption limitation of the python.
Error that I had:
ansible_facts:
discovered_interpreter_python: /usr/bin/python3
module_stderr: |-
Unknown exception: p must be exactly 1024, 2048, or 3072 bits long
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2075, in run
self.kex_engine.parse_next(ptype, m)
File "/usr/lib/python3/dist-packages/paramiko/kex_gex.py", line 101, in parse_next
return self._parse_kexdh_gex_reply(m)
File "/usr/lib/python3/dist-packages/paramiko/kex_gex.py", line 281, in _parse_kexdh_gex_reply
self.transport._verify_key(host_key, sig)
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 1886, in _verify_key
if not key.verify_ssh_sig(self.H, Message(sig)):
File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 148, in verify_ssh_sig
key = dsa.DSAPublicNumbers(
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 206, in public_key
return backend.load_dsa_public_numbers(self)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 676, in load_dsa_public_numbers
dsa._check_dsa_parameters(numbers.parameter_numbers)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 132, in _check_dsa_parameters
raise ValueError("p must be exactly 1024, 2048, or 3072 bits long")
ValueError: p must be exactly 1024, 2048, or 3072 bits long
Traceback (most recent call last):
File "/tmp/ansible_gmoisio.ale.ale_aos_config_payload_u_oz8dhc/ansible_gmoisio.ale.ale_aos_config_payload.zip/ansible_collections/gmoisio/ale/plugins/modules/ale_aos_config.py", line 184, in main
File "/usr/lib/python3/dist-packages/netmiko/ssh_dispatcher.py", line 246, in ConnectHandler
return ConnectionClass(*args, **kwargs)
File "/usr/lib/python3/dist-packages/netmiko/base_connection.py", line 317, in __init__
self._open()
File "/usr/lib/python3/dist-packages/netmiko/base_connection.py", line 322, in _open
self.establish_connection()
File "/usr/lib/python3/dist-packages/netmiko/base_connection.py", line 884, in establish_connection
self.remote_conn_pre.connect(**ssh_connect_params)
File "/usr/lib/python3/dist-packages/paramiko/client.py", line 406, in connect
t.start_client(timeout=timeout)
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 660, in start_client
raise e
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2075, in run
self.kex_engine.parse_next(ptype, m)
File "/usr/lib/python3/dist-packages/paramiko/kex_gex.py", line 101, in parse_next
return self._parse_kexdh_gex_reply(m)
File "/usr/lib/python3/dist-packages/paramiko/kex_gex.py", line 281, in _parse_kexdh_gex_reply
self.transport._verify_key(host_key, sig)
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 1886, in _verify_key
if not key.verify_ssh_sig(self.H, Message(sig)):
File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 148, in verify_ssh_sig
key = dsa.DSAPublicNumbers(
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 206, in public_key
return backend.load_dsa_public_numbers(self)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 676, in load_dsa_public_numbers
dsa._check_dsa_parameters(numbers.parameter_numbers)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 132, in _check_dsa_parameters
raise ValueError("p must be exactly 1024, 2048, or 3072 bits long")
ValueError: p must be exactly 1024, 2048, or 3072 bits long
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/ansible/.ansible/tmp/ansible-tmp-1635603168.8900003-75473794216213/AnsiballZ_ale_aos_config.py", line 102, in <module>
_ansiballz_main()
File "/home/ansible/.ansible/tmp/ansible-tmp-1635603168.8900003-75473794216213/AnsiballZ_ale_aos_config.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/ansible/.ansible/tmp/ansible-tmp-1635603168.8900003-75473794216213/AnsiballZ_ale_aos_config.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.gmoisio.ale.plugins.modules.ale_aos_config', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib/python3.8/runpy.py", line 207, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_gmoisio.ale.ale_aos_config_payload_u_oz8dhc/ansible_gmoisio.ale.ale_aos_config_payload.zip/ansible_collections/gmoisio/ale/plugins/modules/ale_aos_config.py", line 223, in <module>
File "/tmp/ansible_gmoisio.ale.ale_aos_config_payload_u_oz8dhc/ansible_gmoisio.ale.ale_aos_config_payload.zip/ansible_collections/gmoisio/ale/plugins/modules/ale_aos_config.py", line 217, in main
NameError: name 'ConfigInvalidException' is not defined
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
rc: 1
As a workaround I had to edit:
/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.pyAnd find those two lines:
if parameters.p.bit_length() not in [512, 1024, 2048, 3072]:
raise ValueError("p must be exactly 512, 1024, 2048, or 3072 bits long")And replace them with:
if parameters.p.bit_length() not in [512, 1024, 2048, 3072]:
raise ValueError("p must be exactly 512, 1024, 2048, or 3072 bits long")Don’t need to reload any services, just works after. Source.
1 comments On Ansible ssh-dss workaround for AOS6
Thanks for this tips, it solves my connection issues with some oneaccess devices using 512 size DSA keys.
Note that you made a typo in the end of your page here, the the original lines to replace in the DSA file don’t have the 512 size support.