Python eaps_checker script: problems connecting via Paramiko SSH

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hi @all, my first post here!


I'm trying to use python to gather different information from different switches, which is why I started with the eaps_checker script posted on github, to connect to switches and execute commands there. I also did tests, using exactly this script. It allows to connect either via telnet or via SSH using paramiko library.

While connecting with telnet worked for both, the original eaps_checker and my own script, as long as we had telnet enabled, I now need to use SSH for connecting, as telnet was disabled for security reasons.

Unfortunately connecting via SSH does neither work with the original eaps_checker nor with my own script (which does basically exactly the same). Trying to use OpenSSH manually I get errors like


no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

which is not nice, but as I think now, not really the root cause.

The error for eaps_checker.py and my script looks like this:

python2 ~/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py -f Alle_IPs.txt -u admin -p XXXXX --ssh 

[Eaps checker version 1.01]


[+] Checking switch: 10.4.0.10
Traceback (most recent call last):
  File "/home/patrick/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py", line 365, in 
    main()
  File "/home/patrick/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py", line 331, in main
    MySess = SSH2EXOS(switch,args.user,args.password)
  File "/home/patrick/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py", line 80, in __init__
    self.client.connect(switch,username=user,password=password)
  File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 380, in connect
    look_for_keys, gss_auth, gss_kex, gss_deleg_creds, gss_host)
  File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 597, in _auth
    raise saved_exception
paramiko.ssh_exception.AuthenticationException: Authentication failed.

Unfortunately I'm not really a huge python expert, so my skills in debugging the problem myself might not be the best. So my hope is, somebody here also ran into this or a similar problem, while trying to use paramiko library for connecting with SSH to an XOS switch.

Used ExtremeXOS version is 15.6.4.2 v1564b2-patch1-3
Photo of Patrick Hanft

Patrick Hanft

  • 162 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,532 Points 10k badge 2x thumb
Hi,

I believe you already found the issue. The ssh library is certainly using a recent version of openssh and on that EXOS release the ssh server uses a legacy method which is not used by default anymore: http://www.openssh.com/legacy.html

Running 21.1+ you should not have an issue as the ssh server has been upgraded.

So you might need something like that to ssh:

ssh admin@X -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss

Photo of Patrick Hanft

Patrick Hanft

  • 162 Points 100 badge 2x thumb
Hi Stephane,

thank you for your reply!

Actually I did not have the impression, that the paramiko library uses openssh for connecting, but I can not judge that.

What I did not mention but already tried, was adding this to my .ssh/config:

Host 10.*
    KexAlgorithms=+diffie-hellman-group1-sha1
    HostkeyAlgorithms ssh-dss

which I assume should handle this issue – if it was the root cause and paramiko uses openssh which should be aware of this setting. Unfortunately this did not help.

On the other hand: unfortunately most switches concerned are not of a -G2 series (and we are right in the middle of a critical project phase where changing the major EXOS release would not be the best idea, we think ;-) ), which means I can not test against EXOS 21.1+ (well, I might try on a VM setup next week).

So, I am wondering: anyone here who can reproduce issues with eaps_checker and ssh? Or even could confirm that these issues are fixed with EXOS 21.1+ – or, of course, that there are no such issues with an older version of openssh or paramiko respectively?

Thanks again and best regards!
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,532 Points 10k badge 2x thumb
Looking at Paramiko web page, you're certainly right this is not using openssh.
You have an authentication failure in your error message:

File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 597, in _auth
    raise saved_exception
paramiko.ssh_exception.AuthenticationException: Authentication failed.

So, this must be related to a bad algorithm (that's my guess). Paramiko library must have some options to use a given algorithm.

googled it a bit:
https://github.com/paramiko/paramiko/issues/391
Photo of Patrick Hanft

Patrick Hanft

  • 162 Points 100 badge 2x thumb
Thanks for googleing, somehow I missed that, although I had been on this page.

Using
look_for_keys=False

really got me further! But still I had issues with authentication, which seems to be related to keyboard-interactive mode but I did not figure out, what might be the exact issue here.

What did solve the problem for me for now, was to downgrade from paramiko version 2.0 to 1.16, which now works fine! I will have a closer look and try to file a paramiko bug. So maybe this is of some use for someone else.

Thanks again!
Patrick
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,532 Points 10k badge 2x thumb
If you can verify that it works with 21.1 (with look_for_key=False), 16.2 should also have the ssh server upgrade.
Photo of Patrick Hanft

Patrick Hanft

  • 162 Points 100 badge 2x thumb
Oh, I did test against 15.6.4.2 and got it working, using look_for_key=False and paramiko 1.16. Maybe paramiko 2.0 will not have issues with the new ssh server, but I will test that eventually later. But thanks for mentioning, that also 16.2 will also get the ssh server upgrade!

BTW, there's no way for me to add a "solved" or "answered" to this thread, is there? ;-)
Patrick
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Great to see you get a resolution Patrick and thanks for joining the Hub Community.

Our Community Manager, Drew Claybrook, does a great job marking the various threads solved or answered.

By simply coming back to the thread to confirm you're good to go helps Drew a great deal.

We very much appreciate your trust in Extreme Networks.  Thanks again!
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,502 Points 10k badge 2x thumb
hey! this one, I did it. Took me a while to figure it out :)
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Even better!  Thanks Stephane.
Photo of Patrick Hanft

Patrick Hanft

  • 162 Points 100 badge 2x thumb
So, I just did a test with EXOS 21.1.1.4 and paramiko 2.0 and this also worked without problems. As paramiko says to not being able to support and test against other SSH implementations than OpenSSH and as you said 21+ and 16.2+ switch to OpenSSH, I will spare the effort to file a bug.

To everyone who stumbles across this: just keep in mind, if you want to use paramiko against EXOS 16.1 or below, to use paramiko < 2.0.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,502 Points 10k badge 2x thumb
Thanks for testing. did you set "look_for_keys=False"?
Photo of Patrick Hanft

Patrick Hanft

  • 162 Points 100 badge 2x thumb
Works with and without. Maybe paramiko 2.0 is more intelligent about if a key is applicable or not.
(Edited)