Running the O-Node against physical Cisco gear, devices on older IOS are unreachable at key exchange:
[Cisco] SSH handshake failed: Unable to exchange encryption keys (192.168.2.23:22)
IOS 12.2(55)SE (Catalyst 2960/3560) and 12.4(15)T9 (1841) offer only diffie-hellman-group1-sha1 and have no ip ssh dh min size command to raise the group. libssh2 1.11.1's default KEX set excludes group1-sha1, so there's no overlap. Newer IOS (12.4(24)T6, 15.1) offer group14-sha1 and connect + collect fine.
In a 9-device lab, 6/9 were unreachable purely at KEX, independent of auth/driver.
Ask: could the SSH algorithm preference (KEX / host-key / cipher / MAC) be made configurable per-device or globally — e.g. via libssh2_session_method_pref() (LIBSSH2_METHOD_KEX / HOSTKEY / CRYPT_CS …) exposed through a devices.json field or a flag? OpenSSH lets operators opt back into legacy algorithms (KexAlgorithms +diffie-hellman-group1-sha1, HostKeyAlgorithms +ssh-rsa) for brownfield gear they can't reconfigure. group1-sha1 is weak, but for a lot of still-deployed Cisco equipment it's the only option, and right now those devices can't be observed at all. Happy to test a patch against real hardware.
Environment: O-Node @ 604edca, make CISCO=1 FORTIGATE=1 PANOS=1 ASA=1 LINUX=1 (+prod); Ubuntu Server 26.04, gcc 15.2, Go 1.26, libssh2 1.11.1 (libssh2-1t64 1.11.1-1ubuntu0.26.04.1); targets = physical Cisco IOS 12.2(55)SE / 12.4(15)T9 / 12.4(24)T6 / 15.1(2)T1.
Running the O-Node against physical Cisco gear, devices on older IOS are unreachable at key exchange:
IOS 12.2(55)SE (Catalyst 2960/3560) and 12.4(15)T9 (1841) offer only
diffie-hellman-group1-sha1and have noip ssh dh min sizecommand to raise the group. libssh2 1.11.1's default KEX set excludes group1-sha1, so there's no overlap. Newer IOS (12.4(24)T6, 15.1) offergroup14-sha1and connect + collect fine.In a 9-device lab, 6/9 were unreachable purely at KEX, independent of auth/driver.
Ask: could the SSH algorithm preference (KEX / host-key / cipher / MAC) be made configurable per-device or globally — e.g. via
libssh2_session_method_pref()(LIBSSH2_METHOD_KEX/HOSTKEY/CRYPT_CS…) exposed through adevices.jsonfield or a flag? OpenSSH lets operators opt back into legacy algorithms (KexAlgorithms +diffie-hellman-group1-sha1,HostKeyAlgorithms +ssh-rsa) for brownfield gear they can't reconfigure. group1-sha1 is weak, but for a lot of still-deployed Cisco equipment it's the only option, and right now those devices can't be observed at all. Happy to test a patch against real hardware.Environment: O-Node @
604edca,make CISCO=1 FORTIGATE=1 PANOS=1 ASA=1 LINUX=1(+prod); Ubuntu Server 26.04, gcc 15.2, Go 1.26, libssh2 1.11.1 (libssh2-1t641.11.1-1ubuntu0.26.04.1); targets = physical Cisco IOS 12.2(55)SE / 12.4(15)T9 / 12.4(24)T6 / 15.1(2)T1.