Frequently Asked Question

Cisco NSO

How to access NSO CLI

To access NSO CLI, connect to the Prelude Foundation host, got to the /opt/prelude folder (or your installation folder).

Run:

docker compose exec -it nso ncs_cli -u admin

NSO is complaining about "no matching host key found"

With some legacy routers NSO might end up with the following failure:

Oct 30 10:14:48.406 UTC: SSHD_[65944]: %SECURITY-SSHD-6-INFO_GENERAL : 
no matching hostkey found: 
client ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 
server ssh-dss

The server (ie the legacy router) proposal is ssh-dss only.

However the client (NSO) does not support ssh-dss since it is deprecated.

Simple fix: allow NSO to negotiate ssh-dss with that specific device.

You can do so with that simple CLI:

set devices device <device-id> ssh-algorithms public-key [ ssh-dss ]

NSO is complaining about "Could not verify host key with fingerprint"

This message means that the device’s SSH host key has changed. This can happen during upgrades, or due to a manual SSH key regeneration on the device. But it can also be that you are trying to connect on the wrong device.

To get the new key in NSO, the command is

request devices device <device-id> ssh fetch-host-keys

To get the NSO device-id, check the device settings page in Prelude OneBoard.