Blog Python Scrapli

Scrapli and Legacy Devices - no matching key exchange method found

Rick Donato
Rick Donato
2 min read
Scrapli and Legacy Devices - no matching key exchange method found

A question that I find is asked a lot in the community is:

How do I use Scrapli with legacy devices?

For example, devices (such as IOS-XE) that use the older Ciphers by default. i.e. when connecting to the device, you receive an error such as:

read : b'Unable to negotiate with 172.29.151.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'

What is Scrapli?

For those of you who are new to Scrapli. Scrapli is a Python library that simplifies the process of connecting and sending commands to devices via SSH. In some ways, it is very similar to Netmiko; however, rather than being pinned to use Paramiko as the underlying transport library, Scrapli gives you the flexibility to change the underlying transport library, giving you benefits such as speed and greater SSH config support.

Solution

The solution to working with the older devices within Scrapli is to:

  1. Provide ssh_config_file: True to the Scrapli context manager so that Scrapli reads the SSH config file. Full example below:
from scrapli import Scrapli

device = {
    "host": "172.29.151.4",
    "auth_username": “user”,
    "auth_password": “password”,
    "auth_strict_key": False,
    "platform": "cisco_iosxe",
    "ssh_config_file": True <====== include
}

with Scrapli(**device) as conn:
    response = conn.send_command("show run")

print(response.result)
  1. Add the required KexAlgorithms config to your .ssh/config to tell the SSH library what Ciphers to use. Like so:
$ cat .ssh/config
...
Host leaf2
    Hostname 172.29.151.4
    User lab
    KexAlgorithms +diffie-hellman-group-exchange-sha1 <=== include
    ...

Note:

  • The cipher you add to KexAlgorithms will depend on your device. Feel free to adjust it according to the error message you receive from your device.
  • You may also need to adjust the HostKeyAlgorithms within your SSH configuration. The exact configuration necessary will again depend on both the device you are attempting to connect to and the specific error messages returned.

That's all from us. I hope this helps you should you face issues around Scrapli and legacy devices.

Happy automating!

You might also like

Subscribe to our newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox.
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!