Inspec SSH fails to connect to server with KEX error

[reallyseaneverson]

When using inspec to ssh to an AKS node on Azure I am seeing an error:

Transport error, can't connect to 'ssh' backend: SSH command failed (could not settle on kex algorithm

Server kex preferences: curve25519-sha256@libssh.org
Client kex preferences: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1)

The target server is hardened to only support the curve25519 for key exchange. I am able to ssh to the box with both the ssh client binary and also with a Net::SSH test script:

require 'net/ssh'

ssh = Net::SSH.start(
	"10.10.10.10",
	"admin",
	:password => "123",
	:port => "22"
	)
output = ssh.exec!("pwd")
puts output
ssh.close

Outputs: /home/admin

Debug:
I, [2023-09-19T22:17:48.950397 #478643]  INFO -- net.ssh.transport.algorithms[258]: got KEXINIT from server
I, [2023-09-19T22:17:48.950451 #478643]  INFO -- net.ssh.transport.algorithms[258]: negotiating algorithms
D, [2023-09-19T22:17:48.950512 #478643] DEBUG -- net.ssh.transport.algorithms[258]: negotiated:
* kex: curve25519-sha256@libssh.org
* host_key: ssh-ed25519
* encryption_server: chacha20-poly1305@openssh.com
* encryption_client: chacha20-poly1305@openssh.com
* hmac_client: hmac-sha2-512-etm@openssh.com
* hmac_server: hmac-sha2-512-etm@openssh.com

Net::SSH is working properly and will negotiate the proper KEX, but I can not connect to this system with inspec, it appears to be using a different set of algos.

I tried to set the ssh config file for my host to use the right KEX algo, but the settings there appear to be ignored.

Any suggestions for how to configure inspec to use the proper kex or to debug this further?

Inspec version: 5.22.3
Net-ssh 7.2.0

Thanks!

[ahasunos]

@reallyseaneverson How are you using InSpec here? Is it installed as standalone omnibus installer or via gem or other?