ansible执行错误一例

[root@centos65 ~]# ansible local -m ping
[WARNING]: The version of gmp you have installed has a known issue regarding
timing vulnerabilities when used with pycrypto. If possible, you should update
it (i.e. yum update gmp).

No handlers could be found for logger “paramiko.transport”
192.168.1.116 | FAILED => FAILED: Incompatible ssh peer (no acceptable kex algorithm)
192.168.1.120 | success >> {
“changed”: false,
“ping”: “pong”
}

192.168.1.117 | success >> {
“changed”: false,
“ping”: “pong”
}

 

报错:
192.168.1.116 | FAILED => FAILED: Incompatible ssh peer (no acceptable kex algorithm)


想起之前192.168.1.116升级了openssh和openssl版本
[root@monitor ~]# ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015

 

ansible执行时,192.168.1.116的安全日志/var/log/secure显示如下错误:
Jan 14 20:59:16 monitor sshd[5194]: fatal: Unable to negotiate with 192.168.1.117: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

 
原因:因为openssh升级后,key交换算法(kex algorithm ==> key exchange algorithm )改变了,不支持之前旧版的diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1;而ansible中进行远程认证用的是paramiko模块,此问题是由于patamiko版本过旧导致,不支持新的key交换算法。

 

 
参考:https://github.com/paramiko/paramiko/issues/509

 

 
解决方法:

方法一:
在192.168.1.116的/etc/ssh/sshd_config增加如下内容,让ssh支持上述报错的key交换算法:
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

方法二:
升级ansible服务器的paramiko的版本
pip install paramiko –upgrade

 

 
================================================================================
python/ansible/patamiko版本如下:
================================================================================

[root@centos65 ~]# python -V
Python 2.6.6
[root@centos65 ~]# ansible –version
[WARNING]: The version of gmp you have installed has a known issue regarding
timing vulnerabilities when used with pycrypto. If possible, you should update
it (i.e. yum update gmp).

ansible 1.8.2
configured module search path = None
[root@centos65 ~]# pip freeze
Babel==0.9.4
Beaker==1.3.1
Cheetah==2.4.1
Django==1.4.14
Jinja2==2.2.1
Mako==0.3.4
Markdown==2.0.1
MarkupSafe==0.9.2
MySQL-python==1.2.5
PIL==1.1.7
PyPAM==0.5.0
PyYAML==3.10
Pygments==1.1.1
SSSDConfig==1.9.2
ansible==1.8.2
cas==0.15
cobbler==2.6.3
cups==1.0
cupshelpers==1.0
decorator==3.0.1
distribute==0.6.10
django-admin-bootstrapped==1.6.2
dnspod-python==0.01
ethtool==0.6
firstboot==1.110
freeipa==2.0.0.alpha.0
gateone==1.1
httplib2==0.7.7
iniparse==0.3.1
ipapython==3.0.0
iwlib==1.0
kerberos==1.0
lxml==2.2.3
netaddr==0.7.5
ordereddict==1.1
paramiko==1.7.5
pexpect==2.3
pssh==2.3.1
pyOpenSSL==0.10
pyasn1==0.0.12a
pycrypto==2.0.1
pycurl==7.19.0
pygpgme==0.1
pykickstart==1.74.16
pymongo==2.8
python-default-encoding==0.1
python-keyczar==0.71c
python-ldap==2.3.10
python-meh==0.11
python-nss==0.13
pyxdg==0.18
redis==2.10.3
scdate==1.9.60
sckdump==2.0.5
scservices==0.99.45
scservices.dbus==0.99.45
simplejson==2.0.9
slip==0.2.20
slip.dbus==0.2.20
slip.gtk==0.2.20
smbc==1.0
suds==0.4.1
tornado==2.4
urlgrabber==3.9.1
web.py==0.37
yum-metadata-parser==1.1.2