-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuthenticationError: Can't use key authentication to older Junos devices due to change in Paramiko #526
Comments
@daemonkeeper, just now ncclient only requires Paramiko >= 1.15.0. In the short term is it practical to select an older version of Paramiko for use with older JunOS devices? For a longer-term solution, maybe a solution around device handlers and the JunOS-specific device handler may be appropriate? For example, we could extend the default device handler callbacks to include one to retrieve parameters to pass to SSH transport creation? |
For now I did opt to monkeypatch paramiko.Transport to fall-back to the older behavior instead of downgrading paramiko, i.e. I did something like
before instantiating ncclient (I do actually use ncclient through a dependency of py-eznc, I need to file a bug report with them as soon you agreed on a proper fix, they can adapt to). A callback with the ability to set custom Transport arguments, as you propose, would be fine with me, but making it a SSHSession.connect() argument, maybe by providing two or three meaningful pre-sets sounds the easiest and in-line with existing session customization (e.g. user name, password or keys). Thinking of something like
where the constants would default to some meaningful presets in your session class to pass to paramiko. That also gives you the ability to change the pre-sets as time goes by, as the actual candidate ciphers in those pools are likely to change over the years. My monkepatched selection would then for example be the "LEGACY" variant, DEFAULT would leave "disabled_algorithms" blank and STRONG reverse it to only use the modern choices. |
I have the same problem using ansible with Junos modules which rely on ncclient. Would be really appreciated to have a solution for this problem without monkeypatching ncclient. As I am just a user, I have no idea/suggestion of how best to implement it. Thanks a lot for your work! |
Same here... I think @daemonkeeper's solution makes sense, as I don't think it's reasonable to have to pin to Paramiko 2.8.1 (or older) which is already 8 months old and many security fixes have been applied in the meantime. On some systems it's practically impossible to upgrade them in order to have modern SSH, or this fix is pretty straight forward. @daemonkeeper would you mind opening a PR? I can do it otherwise, no worries. |
I'm also running into this; any updates on a possible PR with the proposed fix above? Thanks! |
@mirceaulinic, @daemonkeeper -- have either of you been looking at a PR for this? I don't want to duplicate effort... |
@einarnn I guess it's safe to assume that no effort is duplicated after waiting almost three months. |
I got this issue too using the XR DevNet always On, running In my case downgraded Then I got issues with the authentication using the After this, I was able to connect to XR via Netconf |
Hi,
ncclient can no longer authenticate using keys to older Junos devices as per paramiko 2.9. This issue might be the same as reported in #518 but that one lacks substantial information.
The issue is found in the changelog of paramiko:
This results in key based authentication attempts to fail:
On the router's end, the log prints
This appears to be the case with oldish/older Junos versions (e.g. here we use 14.1X53-D40.8) which has a quite old SSH daemon. The workaround is to disable "new" algorithms in Paramiko's Transport class. However, in your code you instantiate paramiko.Transport in the SSHSession class without ability for the ncclient user to override the arguments.
line 299 of transport/ssh.py:
A workaround would be
Arguably you don't want to hardcode this as a crypto upgrade is probably wanted for newer systems, but you may wish to let the ncclient user override this.
The text was updated successfully, but these errors were encountered: