I was setting up LibreNMS (version 22.2.1 at time of writing) and found out that it also has a plugin called oxidized (version 0.28.0 at time of writing) that allows you to do back ups of configuration files. So I figured why not, let’s replace my dated rconfig setup. In my opinion oxidized is a bit archaic, but it seems to be based on an old tool called RANCID. So long story short, it is a bit on the YAML heavy side, it takes some manual configuration in shell. My oxidized config looks like this, for example:
# - keyboard-interactive
groups: {}
models: {}
pid: /home/oxidized/.config/oxidized/pid
input:
default: ssh
debug: false
ssh:
secure: false
output:
default: file
file:
directory: /home/oxidized/.config/oxidized/configs
source:
default: csv
csv:
file: /home/oxidized/.config/oxidized/router.db
delimiter: !ruby/regexp /:/
map:
name: 0
ip: 1
model: 2
username: 3
password: 4
vars_map:
ssh_kex: 5
ssh_host_key: 6
ssh_hmac: 7
ssh_encryption: 8
enable: 9
gpg: false
model_map:
cisco: ios
juniper: junos
asa: asa
I kept getting KEX errors for my ASA when it was trying to log in:
raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on kex algorithm"
My ASA router.db line looked like this (replacing xxxxx with actual passwords):
madfw5:192.168.150.1:asa:admin:xxxxxxx:+diffie-hellman-group1-sha1:ssh-rsa:hmac-sha2-256:aes256-cbc:xxxxxxxx
I knew this was a good KEX (diffie-hellman-group1-sha1), as I forced it via the ASA, and SSH worked via putty, or other switches on the network. It also worked for my cisco switches via oxidizer. For reference, my ASA is running 9.16(2)14 ASA and ASDM 7.17(1)152. I wanted to see what other options exist, so I ran show ssh:
madfw5# show ssh
Idle Timeout: 60 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes128-gcm@openssh.com aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc chacha20-poly1305@openssh.com
Cipher integrity algorithms enabled: hmac-sha2-256
and my KEX checked my KEX:
madfw5# sh run ssh
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
But I kept getting the error. Doing some digging, I saw oxidizer uses NET:SSH perl module, and their GIT is pretty updated, and it showed what algorithms were currently supported: https://github.com/net-ssh/net-ssh
I saw ecdh-sha2-nistp256 was allowed and supported, which worked on the ASA, by tabbing out the option:
madfw5(config)# ssh key-exchange group ?
configure mode commands/options:
curve25519-sha256 Diffie-Hellman group-31-sha256
dh-group1-sha1 Diffie-Hellman group 2 (DEPRECATED)
dh-group14-sha1 Diffie-Hellman group-14-sha1
dh-group14-sha256 Diffie-Hellman group-14-sha256
ecdh-sha2-nistp256 Diffie-Hellman group-19-sha256
Then forced it by finishing out the command in configure terminal mode:
madfw5# conf t
madfw5(config)#
madfw5(config)# ssh key-exchange group ecdh-sha2-nistp256
so now it shows:
madfw5(config)# sh run ssh
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group ecdh-sha2-nistp256
madfw5(config)#
good to go, now the ASA is backing up and running oxidizer, huzzah! I am still learning what else oxidizer can do. My next step is to enable git, so it will automatically upload new versions of the configuration files it backs up.