Header Only - DO NOT REMOVE - Extreme Networks

Python eaps_checker script: problems connecting via Paramiko SSH


Hi@all, my first post here!

I'm trying to use python to gather different information from different switches, which is why I started with the eaps_checker script posted on github, to connect to switches and execute commands there. I also did tests, using exactly this script. It allows to connect either via telnet or via SSH using paramiko library.

While connecting with telnet worked for both, the original eaps_checker and my own script, as long as we had telnet enabled, I now need to use SSH for connecting, as telnet was disabled for security reasons.

Unfortunately connecting via SSH does neither work with the original eaps_checker nor with my own script (which does basically exactly the same). Trying to use OpenSSH manually I get errors like

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1[/code]
which is not nice, but as I think now, not really the root cause.

The error for eaps_checker.py and my script looks like this:

python2 ~/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py -f Alle_IPs.txt -u admin -p XXXXX --ssh [Eaps checker version 1.01] [+] Checking switch: 10.4.0.10 Traceback (most recent call last): File "/home/patrick/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py", line 365, in main() File "/home/patrick/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py", line 331, in main MySess = SSH2EXOS(switch,args.user,args.password) File "/home/patrick/workspace/github/ExtremeScripting/EXOS/Python/eaps_checker/check_eaps.py", line 80, in __init__ self.client.connect(switch,username=user,password=password) File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 380, in connect look_for_keys, gss_auth, gss_kex, gss_deleg_creds, gss_host) File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 597, in _auth raise saved_exception paramiko.ssh_exception.AuthenticationException: Authentication failed. [/code]
Unfortunately I'm not really a huge python expert, so my skills in debugging the problem myself might not be the best. So my hope is, somebody here also ran into this or a similar problem, while trying to use paramiko library for connecting with SSH to an XOS switch.

Used ExtremeXOS version is 15.6.4.2 v1564b2-patch1-3

12 replies

Userlevel 7
Hi,

I believe you already found the issue. The ssh library is certainly using a recent version of openssh and on that EXOS release the ssh server uses a legacy method which is not used by default anymore: http://www.openssh.com/legacy.html

Running 21.1+ you should not have an issue as the ssh server has been upgraded.

So you might need something like that to ssh:

ssh admin@X -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss

[/code]
Hi Stephane,

thank you for your reply!

Actually I did not have the impression, that the paramiko library uses openssh for connecting, but I can not judge that.

What I did not mention but already tried, was adding this to my .ssh/config:

Host 10.*
KexAlgorithms=+diffie-hellman-group1-sha1
HostkeyAlgorithms ssh-dss[/code]
which I assume should handle this issue – if it was the root cause and paramiko uses openssh which should be aware of this setting. Unfortunately this did not help.

On the other hand: unfortunately most switches concerned are not of a -G2 series (and we are right in the middle of a critical project phase where changing the major EXOS release would not be the best idea, we think 😉 ), which means I can not test against EXOS 21.1+ (well, I might try on a VM setup next week).

So, I am wondering: anyone here who can reproduce issues with eaps_checker and ssh? Or even could confirm that these issues are fixed with EXOS 21.1+ – or, of course, that there are no such issues with an older version of openssh or paramiko respectively?

Thanks again and best regards!
Userlevel 7
Looking at Paramiko web page, you're certainly right this is not using openssh.
You have an authentication failure in your error message:

File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 597, in _auth raise saved_exception paramiko.ssh_exception.AuthenticationException: Authentication failed.[/code]
So, this must be related to a bad algorithm (that's my guess). Paramiko library must have some options to use a given algorithm.

googled it a bit:
https://github.com/paramiko/paramiko/issues/391
Thanks for googleing, somehow I missed that, although I had been on this page.

Using
look_for_keys=False[/code]
really got me further! But still I had issues with authentication, which seems to be related to keyboard-interactive mode but I did not figure out, what might be the exact issue here.

What did solve the problem for me for now, was to downgrade from paramiko version 2.0 to 1.16, which now works fine! I will have a closer look and try to file a paramiko bug. So maybe this is of some use for someone else.

Thanks again!
Patrick
Userlevel 7
If you can verify that it works with 21.1 (with look_for_key=False), 16.2 should also have the ssh server upgrade.
Oh, I did test against 15.6.4.2 and got it working, using look_for_key=False and paramiko 1.16. Maybe paramiko 2.0 will not have issues with the new ssh server, but I will test that eventually later. But thanks for mentioning, that also 16.2 will also get the ssh server upgrade!

BTW, there's no way for me to add a "solved" or "answered" to this thread, is there? 😉
Patrick
Userlevel 6
Patrick Hanft wrote:

Oh, I did test against 15.6.4.2 and got it working, using look_for_key=False and paramiko 1.16. Maybe paramiko 2.0 will not have issues with the new ssh server, but I will test that eventually later. But thanks for mentioning, that also 16.2 will also get the ssh server upgrade!

BTW, there's no way for me to add a "solved" or "answered" to this thread, is there? 😉
Patrick

Great to see you get a resolution Patrick and thanks for joining the Hub Community.

Our Community Manager, Drew Claybrook, does a great job marking the various threads solved or answered.

By simply coming back to the thread to confirm you're good to go helps Drew a great deal.

We very much appreciate your trust in Extreme Networks. Thanks again!
Userlevel 7
Patrick Hanft wrote:

Oh, I did test against 15.6.4.2 and got it working, using look_for_key=False and paramiko 1.16. Maybe paramiko 2.0 will not have issues with the new ssh server, but I will test that eventually later. But thanks for mentioning, that also 16.2 will also get the ssh server upgrade!

BTW, there's no way for me to add a "solved" or "answered" to this thread, is there? 😉
Patrick

hey! this one, I did it. Took me a while to figure it out 🙂
Userlevel 6
Patrick Hanft wrote:

Oh, I did test against 15.6.4.2 and got it working, using look_for_key=False and paramiko 1.16. Maybe paramiko 2.0 will not have issues with the new ssh server, but I will test that eventually later. But thanks for mentioning, that also 16.2 will also get the ssh server upgrade!

BTW, there's no way for me to add a "solved" or "answered" to this thread, is there? 😉
Patrick

Even better! Thanks Stephane.
So, I just did a test with EXOS 21.1.1.4 and paramiko 2.0 and this also worked without problems. As paramiko says to not being able to support and test against other SSH implementations than OpenSSH and as you said 21+ and 16.2+ switch to OpenSSH, I will spare the effort to file a bug.

To everyone who stumbles across this: just keep in mind, if you want to use paramiko against EXOS 16.1 or below, to use paramiko < 2.0.
Userlevel 7
Patrick Hanft wrote:

So, I just did a test with EXOS 21.1.1.4 and paramiko 2.0 and this also worked without problems. As paramiko says to not being able to support and test against other SSH implementations than OpenSSH and as you said 21+ and 16.2+ switch to OpenSSH, I will spare the effort to file a bug.

To everyone who stumbles across this: just keep in mind, if you want to use paramiko against EXOS 16.1 or below, to use paramiko < 2.0.

Thanks for testing. did you set "look_for_keys=False"?
Patrick Hanft wrote:

So, I just did a test with EXOS 21.1.1.4 and paramiko 2.0 and this also worked without problems. As paramiko says to not being able to support and test against other SSH implementations than OpenSSH and as you said 21+ and 16.2+ switch to OpenSSH, I will spare the effort to file a bug.

To everyone who stumbles across this: just keep in mind, if you want to use paramiko against EXOS 16.1 or below, to use paramiko < 2.0.

Works with and without. Maybe paramiko 2.0 is more intelligent about if a key is applicable or not.

Reply