SSH key exchange error when using netconf-console2 (py tool) login

[guangjung]

Server Env: netopeer2 (v2.2.8) + libyang (v3.1.0) + libnetconf2 (v3.3.3) + sysrepo (v2.10.1) + libssh (0.10.6)

Client Env: netconf-console2 (v3.0.0) + ncclient （v0.6.7） + paramiko (v2.6.0)

By the /usr/local/bin/netopeer2-cli, account (admin/welcome) login ok. But use netconf-console2 login failed, netopeer2-server log has the following error info , and the same netconf-console2 is working on old netopeer2 (v2.1.36) + libnetconf2 (v2.1.18) .
Why and How to modify code to make netconf-console2 working. Looking forward to your reply, thanks.

Error log of netconf-console2:
$ netconf-console2 --host=172.16.166.228 --user=admin --password=welcome --port=830 get-oc-platform-all.xml
Exception: Incompatible ssh peer (no acceptable host key)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2127, in run
self._handler_tableptype
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2242, in _negotiate_keys
self._parse_kex_init(m)
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2482, in _parse_kex_init
raise SSHException(
paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable host key)

Error log of netopeer2-server ( using -d -v 2)
[INF]: LN: Accepted a connection on 0.0.0.0:830 from 172.16.161.114:36360.
[2021/01/06 02:19:09.253695, 1] ssh_kex_select_methods: kex error : no match for method server host key algo: server [rsa-sha2-512,rsa-sha2-256], client [ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss]
[ERR]: LN: SSH key exchange error (kex error : no match for method server host key algo: server [rsa-sha2-512,rsa-sha2-256], client [ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss]).

Some other info:
//login ok
sh-5.2# /usr/local/bin/netopeer2-cli
load_config: No saved configuration.

connect --ssh --host localhost --port 830 --login admin
admin@localhost password:

// Netconf key configuration:
ietf-keystore-startup.xml is generated from merge_hostkey.sh script
ietf-netconf-server-startup.xml refer to ietf-netconf-server-startup.xml.txt

[michalvasko]

By default, the server uses an RSA host key, which the client does not support (only the most basic non-secure RSA version). Either change netopeer2 configuration to use an ECDSA host key or change your client configuration to accept the serevr host key algorithm, there is no other solution.

[guangjung]

By default, the server uses an RSA host key, which the client does not support (only the most basic non-secure RSA version). Either change netopeer2 configuration to use an ECDSA host key or change your client configuration to accept the serevr host key algorithm, there is no other solution.

Thank you for your repIy.

1. I upgraded client (netconf-console2(v3.0.1) + paramiko(v3.5.1)), netconf-console2 may work.

2. If I use RSA host key, how to modify netopeer2 code or configuration ( ex. libssh or /etc/ssh/libssh_server_config) to make old netconf-console2 working.

[michalvasko]

You can explicitly set supported host key algorithms in the YANG configuration, the nodes (printed by yanglint tree printer):

module: ietf-netconf-server
  +--rw netconf-server {central-netconf-server-supported}?
     +--rw listen! {ssh-listen or tls-listen}?
        +--rw endpoints
           +--rw endpoint* [name]
              +--rw (transport)
                 +--:(ssh) {ssh-listen}?
                    +--rw ssh
                       +--rw ssh-server-parameters
                          +--rw transport-params {sshcmn:transport-params}?
                             +--rw host-key
                                +--rw host-key-alg*   identityref

The algorithms are defined in iana-ssh-public-key-algs.

But it is strange that you have only 2 algorithms enabled, which is definitely not the default configuration, so probably the sshd config file is used (by libssh), which you can also modify. It should be /etc/ssh/sshd_config.