Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH2 login failed #160

Open
memogharib opened this issue Apr 1, 2018 · 6 comments
Open

SSH2 login failed #160

memogharib opened this issue Apr 1, 2018 · 6 comments

Comments

@memogharib
Copy link

memogharib commented Apr 1, 2018
edited
Loading

import Exscript
from Exscript.protocols import SSH2,Account
device = SSH2(debug=9)
acc = Account("xxxx","xxxxx")
device.connect("HOST1",port=9090)
print device.response
print device.get_remote_version()
print device.get_banner()
print device.is_dummy()
device.login(acc)
print device.response

'''''''''''''''''''' output 👍

generic: Rejecting ssh-rsa host key for HOST1: 5cf53be5446cb97a4941aad09e3b29a8
None
SSH-2.0-OpenSSH_4.3
None
False
generic: Attempting to authenticate xxxx
generic: auth_none failed, supported: [u'publickey', u'password']
generic: Rejecting ssh-rsa host key for HOST1: 5cf53be5446cb97a4941aad09e3b29a8
generic: Authenticating with _paramiko_auth_agent
generic: Authentication with _paramiko_auth_agent failed: auth agent found no keys
generic: Rejecting ssh-rsa host key for HOST1: 5cf53be5446cb97a4941aad09e3b29a8
generic: Authenticating with _paramiko_auth_autokey
generic: Authentication with _paramiko_auth_autokey failed: Failed to authenticate with given username and password/key
generic: Rejecting ssh-rsa host key for HOST1: 5cf53be5446cb97a4941aad09e3b29a8
generic: Authenticating with _paramiko_auth_password
generic: Attempting to app-authenticate tarek.anis.
generic: waiting for: ['[\r\n][^\\r\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)', '(user ?name|user|login): $', u'(?:s\/Key|otp-md5) (\d+) (\S+)(?=\s|[\r\n])', 'password:? $', '[\r\n](?:[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\!\\"\\#\\$\\%\\&\\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\<\\=\\>\\?\\@\\[\\\\\\]\\^\\_\\`\\{\\|\\}\\~\\ \\\t\\\n\\\r\\\x0b\\\x0c]*|[\\x1b\\x07\\x00]*)[\\[\\<]?\\w+(?:(?:(?:[\\w+\\-]+)\\@)?(?:[\\w+\\-\\.]+))?:?(?:(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)|~(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)?)?[: ]?(?:(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)|~(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)?)?(?:\\((?:[\\w\\+\\-\\._]+)\\))?[\\]\\-]?[#>%\\$\\]] ?[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\!\\"\\#\\$\\%\\&\\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\<\\=\\>\\?\\@\\[\\\\\\]\\^\\_\\`\\{\\|\\}\\~\\ \\\t\\\n\\\r\\\x0b\\\x0c]\Z']
generic: Expecting a prompt
generic: Expected pattern: ["'[\\r\\n][^\\\\r\\\\n](?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)'", "'(user ?name|user|login): *$'", "u'(?:s\\/Key|otp-md5) (\\d+) (\\S+)(?=\\s|[\\r\\n])'", "'password:? $'", ''[\\r\\n](?:[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\!\\\\"\\\\#\\\\$\\\\%\\\\&\\\\\\\'\\\\(\\\\)\\\\*\\\\+\\\\,\\\\-\\\\.\\\\/\\\\:\\\\;\\\\<\\\\=\\\\>\\\\?\\\\@\\\\[\\\\\\\\\\\\]\\\\^\\\\_\\\\`\\\\{\\\\|\\\\}\\\\~\\\\ \\\\\\t\\\\\\n\\\\\\r\\\\\\x0b\\\\\\x0c]*|[\\\\x1b\\\\x07\\\\x00]*)[\\\\[\\\\<]?\\\\w+(?:(?:(?:[\\\\w+\\\\-]+)\\\\@)?(?:[\\\\w+\\\\-\\\\.]+))?:?(?:(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)|~(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)?)?[: ]?(?:(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)|~(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)?)?(?:\\\\((?:[\\\\w\\\\+\\\\-\\\\._]+)\\\\))?[\\\\]\\\\-]?[#>%\\\\$\\\\]] ?[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\!\\\\"\\\\#\\\\$\\\\%\\\\&\\\\\\\'\\\\(\\\\)\\\\*\\\\+\\\\,\\\\-\\\\.\\\\/\\\\:\\\\;\\\\<\\\\=\\\\>\\\\?\\\\@\\\\[\\\\\\\\\\\\]\\\\^\\\\_\\\\`\\\\{\\\\|\\\\}\\\\~\\\\ \\\\\\t\\\\\\n\\\\\\r\\\\\\x0b\\\\\\x0c]\\Z'']
ericsson_ban: Protocol: driver replaced: generic -> ericsson_ban
ericsson_ban: Protocol.app_authenticate(): driver replaced
ericsson_ban: waiting for: ['Login failed', 'user:', u'(?:s\/Key|otp-md5) (\d+) (\S+)(?=\s|[\r\n])', 'pass:', '[\r\n][\-\w+\.]+(?:\([^\\)]+\))?[%#] ?$|(?:\(y/n\)\[n\])']
ericsson_ban: Expecting a prompt
ericsson_ban: Expected pattern: ["'Login failed'", "'user:'", "u'(?:s\\/Key|otp-md5) (\\d+) (\\S+)(?=\\s|[\\r\\n])'", "'pass:'", "'[\\r\\n][\\-\\w+\\.]+(?:\\([^\\\\)]+\\))?[%#] ?$|(?:\\(y/n\\)\\[n\\])'"]

Traceback (most recent call last):
File "C:/Python27/ssh test.py", line 11, in
device.authenticate(acc)
File "C:\Python27\lib\site-packages\Exscript\protocols\protocol.py", line 699, in authenticate
self.app_authenticate(app_account, flush=flush)
File "C:\Python27\lib\site-packages\Exscript\protocols\protocol.py", line 868, in app_authenticate
self._app_authenticate(account, password, flush, bailout)
File "C:\Python27\lib\site-packages\Exscript\protocols\protocol.py", line 772, in _app_authenticate
raise TimeoutException(msg)
TimeoutException: Buffer: u''

'''''''''''''''' please is there are any solution for it
@derek-shnosh
Copy link

derek-shnosh commented Jul 28, 2018
edited
Loading

EDIT

I'm getting better results when I bypass the multi-auth loop by changing line 283 of ssh2.py to call on auth_password intead of auth_none. This seems like it'll be a sufficient workaround for my current use-case, cisco ZTP.

self.client.auth_none(username)
self.client.auth_password(username, password)

I'm wondering if IOS-XE 16.3.x doesn't like the rapid subsequent connections spawned by the _authentication_reconnect_hack call.

I am having the same issue with IOS-XE version 16.3.6.

SCRIPT

#!/usr/bin/env python

from Exscript.util.start import start
from Exscript import Account, Host
from Exscript.util.file import get_accounts_from_file
from Exscript.util.file import get_hosts_from_file

cred = get_accounts_from_file('/etc/ztp/ref/cred')
switch = get_hosts_from_file('/etc/ztp/ref/host', default_protocol='ssh2')

def post_cfg(job, host, conn):
        conn.execute('conf t')
        conn.execute('no vstack')
        conn.execute('no ip http ser')
        conn.execute('no ip http secure-s')
        conn.execute('no ip http authen')
        conn.execute('end')
        conn.execute('write mem')
        conn.send('exit\r')

with open('/etc/ztp/ref/post_cfg.log', "w+") as fp:
        start(cred, switch, post_cfg, stdout=fp)

I can execute the script fine once, but if I do it again shortly after, I get the following;

10.18.64.5 error: Buffer: u''
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Exscript/workqueue/job.py", line 78, in run
    self.function(self)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/queue.py", line 102, in _wrapped
    result = func(job, host, conn, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/util/decorator.py", line 117, in decorated
    conn.login(flush=flush)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 674, in login
    self.authenticate(account, flush=False)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 699, in authenticate
    self.app_authenticate(app_account, flush=flush)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 868, in app_authenticate
    self._app_authenticate(account, password, flush, bailout)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 772, in _app_authenticate
    raise TimeoutException(msg)
TimeoutException: Buffer: u''

But from the switch I can see the SSH session establish, here is a log from a successful pass, and then a fail;

Switch log from first run, SUCCESS

*Jul 27 2018 17:22:59.879 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:23:00.428 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:23:00.765 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:23:01.117 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 4) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:23:01.329 PDT: %SSH-5-SSH2_USERAUTH: User 'provision' authentication for SSH2 Session from 10.19.128.202 (tty = 4) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:23:01.375 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:provision  logged command:!exec: enable
*Jul 27 2018 17:23:01.428 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:provision  logged command:no vstack 
*Jul 27 2018 17:23:01.497 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:provision  logged command:no ip http server 
*Jul 27 2018 17:23:01.554 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:provision  logged command:no ip http secure-server 
*Jul 27 2018 17:23:01.613 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:provision  logged command:no ip http authentication 
*Jul 27 2018 17:23:01.727 PDT: %SYS-5-CONFIG_I: Configured from console by provision on vty4 (10.19.128.202)
*Jul 27 2018 17:23:03.593 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 4) for user 'provision' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
*Jul 27 2018 17:23:03.679 PDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.19.128.202 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
*Jul 27 2018 17:23:03.680 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
*Jul 27 2018 17:23:03.779 PDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.19.128.202 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
*Jul 27 2018 17:23:03.780 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 3) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
*Jul 27 2018 17:23:03.833 PDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.19.128.202 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
*Jul 27 2018 17:23:03.833 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 2) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed

Switch log from subsequent run, FAIL
Note: I ran a who command while waiting for the script to fail and close the connection to show that the user was authenticated.

*Jul 27 2018 17:24:07.343 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:24:07.914 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:24:08.263 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:24:08.809 PDT: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.19.128.202 (tty = 4) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
*Jul 27 2018 17:24:09.020 PDT: %SSH-5-SSH2_USERAUTH: User 'provision' authentication for SSH2 Session from 10.19.128.202 (tty = 4) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
switch#who
    Line       User       Host(s)              Idle       Location
*  2 vty 0     admin      idle                 00:00:00 10.19.1.109
   3 vty 1     provision    idle                 00:00:22 10.19.128.202
   4 vty 2                idle                 00:00:21 10.19.128.202
   5 vty 3                idle                 00:00:20 10.19.128.202
   6 vty 4     provision    idle                 00:00:20 10.19.128.202

  Interface    User               Mode         Idle     Peer Address
*Jul 27 2018 17:24:39.156 PDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.19.128.202 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
*Jul 27 2018 17:24:39.156 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
*Jul 27 2018 17:24:39.256 PDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.19.128.202 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
*Jul 27 2018 17:24:39.256 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 3) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
*Jul 27 2018 17:24:39.292 PDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.19.128.202 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
*Jul 27 2018 17:24:39.292 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 2) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
*Jul 27 2018 17:24:39.292 PDT: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.19.128.202 (tty = 4) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed

I created a new script to get debug output, logs from switch are identical as they were from the original script;

Debug Script

#!/usr/bin/env python

from Exscript import Account
from Exscript.protocols import SSH2

cred = Account("provision","******")
conn = SSH2(debug=9)
conn.connect('10.18.64.5')
print conn.response
print conn.get_remote_version()
print conn.get_banner()
print conn.is_dummy()
conn.login(cred)
print conn.response  

conn.execute('conf t')
conn.execute('no vstack')
conn.execute('no ip http ser')
conn.execute('no ip http secure-s')
conn.execute('no ip http authen')
conn.execute('end')
conn.execute('wr mem')
conn.send('exit\r')
conn.close()

First pass, Success

generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
None
SSH-2.0-Cisco-1.25
None
False
generic: Attempting to authenticate provision.
generic: auth_none failed, supported: [u'publickey', u'keyboard-interactive', u'password']
generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
generic: Authenticating with _paramiko_auth_agent
generic: Authentication with _paramiko_auth_agent failed: auth agent found no keys
generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
generic: Authenticating with _paramiko_auth_autokey
generic: Authentication with _paramiko_auth_autokey failed: Failed to authenticate with given username and password/key
generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
generic: Authenticating with _paramiko_auth_interactive
generic: Attempting to app-authenticate provision.
generic: waiting for: ['[\\r\\n][^\\r\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)', '(user ?name|user|login): *$', u'(?:s\\/key|otp-md4) (\\d+) (\\S+)(?=\\s|[\\r\\n])', 'password:? *$', '[\\r\\n](?:[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\!\\"\\#\\$\\%\\&\\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\<\\=\\>\\?\\@\\[\\\\\\]\\^\\_\\`\\{\\|\\}\\~\\ \\\t\\\n\\\r\\\x0b\\\x0c]*|[\\x1b\\x07\\x00]*)[\\[\\<]?\\w+(?:(?:(?:[\\w+\\-]+)\\@)?(?:[\\w+\\-\\.]+))?:?(?:(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)|~(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)?)?[: ]?(?:(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)|~(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)?)?(?:\\((?:[\\w\\+\\-\\._]+)\\))?[\\]\\-]?[#>%\\$\\]] ?[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\!\\"\\#\\$\\%\\&\\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\<\\=\\>\\?\\@\\[\\\\\\]\\^\\_\\`\\{\\|\\}\\~\\ \\\t\\\n\\\r\\\x0b\\\x0c]*\\Z']
generic: Expecting a prompt
generic: Expected pattern: ["'[\\\\r\\\\n][^\\\\r\\\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)'", "'(user ?name|user|login): *$'", "u'(?:s\\\\/key|otp-md4) (\\\\d+) (\\\\S+)(?=\\\\s|[\\\\r\\\\n])'", "'password:? *$'", '\'[\\\\r\\\\n](?:[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\!\\\\"\\\\#\\\\$\\\\%\\\\&\\\\\\\'\\\\(\\\\)\\\\*\\\\+\\\\,\\\\-\\\\.\\\\/\\\\:\\\\;\\\\<\\\\=\\\\>\\\\?\\\\@\\\\[\\\\\\\\\\\\]\\\\^\\\\_\\\\`\\\\{\\\\|\\\\}\\\\~\\\\ \\\\\\t\\\\\\n\\\\\\r\\\\\\x0b\\\\\\x0c]*|[\\\\x1b\\\\x07\\\\x00]*)[\\\\[\\\\<]?\\\\w+(?:(?:(?:[\\\\w+\\\\-]+)\\\\@)?(?:[\\\\w+\\\\-\\\\.]+))?:?(?:(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)|~(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)?)?[: ]?(?:(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)|~(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)?)?(?:\\\\((?:[\\\\w\\\\+\\\\-\\\\._]+)\\\\))?[\\\\]\\\\-]?[#>%\\\\$\\\\]] ?[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\!\\\\"\\\\#\\\\$\\\\%\\\\&\\\\\\\'\\\\(\\\\)\\\\*\\\\+\\\\,\\\\-\\\\.\\\\/\\\\:\\\\;\\\\<\\\\=\\\\>\\\\?\\\\@\\\\[\\\\\\\\\\\\]\\\\^\\\\_\\\\`\\\\{\\\\|\\\\}\\\\~\\\\ \\\\\\t\\\\\\n\\\\\\r\\\\\\x0b\\\\\\x0c]*\\\\Z\'']
ios: Protocol: driver replaced: generic -> ios
ios: Protocol.app_authenticate(): driver replaced
ios: waiting for: ['[\\r\\n][^\\r\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)', 'user ?name: ?$', u'(?:s\\/key|otp-md4) (\\d+) (\\S+)(?=\\s|[\\r\\n])', '(?:[\\r\\n][Pp]assword: ?|last resort password:)$', '[\\r\\n][\\-\\w+\\.:/]+(?:\\([^\\)]+\\))?[>#] ?$']
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][^\\\\r\\\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)'", "'user ?name: ?$'", "u'(?:s\\\\/key|otp-md4) (\\\\d+) (\\\\S+)(?=\\\\s|[\\\\r\\\\n])'", "'(?:[\\\\r\\\\n][Pp]assword: ?|last resort password:)$'", "'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Shell prompt received.
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'\r' for errors
ios: Calling driver.auto_authorize().
ios: Sending 'enable\r'
ios: Attempting to app-authorize provision.
ios: waiting for: ['[\\r\\n][^\\r\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)', 'user ?name: ?$', u'(?:s\\/key|otp-md4) (\\d+) (\\S+)(?=\\s|[\\r\\n])', '(?:[\\r\\n][Pp]assword: ?|last resort password:)$', '[\\r\\n][\\-\\w+\\.:/]+(?:\\([^\\)]+\\))?[>#] ?$']
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][^\\\\r\\\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)'", "'user ?name: ?$'", "u'(?:s\\\\/key|otp-md4) (\\\\d+) (\\\\S+)(?=\\\\s|[\\\\r\\\\n])'", "'(?:[\\\\r\\\\n][Pp]assword: ?|last resort password:)$'", "'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Shell prompt received.
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'enable\r' for errors
enable
ios: Sending u'conf t\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'conf t\r\nEnter configuration commands, one per line.  End with CNTL/Z.\r' for errors
ios: Sending u'no vstack\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'no vstack\r' for errors
ios: Sending u'no ip http ser\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'no ip http ser\r' for errors
ios: Sending u'no ip http secure-s\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'no ip http secure-s\r' for errors
ios: Sending u'no ip http authen\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'no ip http authen\r' for errors
ios: Sending u'end\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'end\r' for errors
ios: Sending u'wr mem\r'
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
ios: Checking u'wr mem\r\nBuilding configuration...\r\n[OK]\r' for errors
ios: Sending 'exit\r'

Second pass, FAIL

generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
None
SSH-2.0-Cisco-1.25
None
False
generic: Attempting to authenticate provision.
generic: auth_none failed, supported: [u'publickey', u'keyboard-interactive', u'password']
generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
generic: Authenticating with _paramiko_auth_agent
generic: Authentication with _paramiko_auth_agent failed: auth agent found no keys
generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
generic: Authenticating with _paramiko_auth_autokey
generic: Authentication with _paramiko_auth_autokey failed: Failed to authenticate with given username and password/key
generic: Rejecting ssh-rsa host key for 10.18.64.5: 022f60cc74452ea5d2163e1465bd0c2f
generic: Authenticating with _paramiko_auth_interactive
generic: Attempting to app-authenticate provision.
generic: waiting for: ['[\\r\\n][^\\r\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)', '(user ?name|user|login): *$', u'(?:s\\/key|otp-md4) (\\d+) (\\S+)(?=\\s|[\\r\\n])', 'password:? *$', '[\\r\\n](?:[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\!\\"\\#\\$\\%\\&\\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\<\\=\\>\\?\\@\\[\\\\\\]\\^\\_\\`\\{\\|\\}\\~\\ \\\t\\\n\\\r\\\x0b\\\x0c]*|[\\x1b\\x07\\x00]*)[\\[\\<]?\\w+(?:(?:(?:[\\w+\\-]+)\\@)?(?:[\\w+\\-\\.]+))?:?(?:(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)|~(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)?)?[: ]?(?:(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)|~(?:(?:(?:[\\w\\+\\-\\._]+))?(?:/(?:[\\w\\+\\-\\._]+))*/?)?)?(?:\\((?:[\\w\\+\\-\\._]+)\\))?[\\]\\-]?[#>%\\$\\]] ?[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\!\\"\\#\\$\\%\\&\\\'\\(\\)\\*\\+\\,\\-\\.\\/\\:\\;\\<\\=\\>\\?\\@\\[\\\\\\]\\^\\_\\`\\{\\|\\}\\~\\ \\\t\\\n\\\r\\\x0b\\\x0c]*\\Z']
generic: Expecting a prompt
generic: Expected pattern: ["'[\\\\r\\\\n][^\\\\r\\\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)'", "'(user ?name|user|login): *$'", "u'(?:s\\\\/key|otp-md4) (\\\\d+) (\\\\S+)(?=\\\\s|[\\\\r\\\\n])'", "'password:? *$'", '\'[\\\\r\\\\n](?:[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\!\\\\"\\\\#\\\\$\\\\%\\\\&\\\\\\\'\\\\(\\\\)\\\\*\\\\+\\\\,\\\\-\\\\.\\\\/\\\\:\\\\;\\\\<\\\\=\\\\>\\\\?\\\\@\\\\[\\\\\\\\\\\\]\\\\^\\\\_\\\\`\\\\{\\\\|\\\\}\\\\~\\\\ \\\\\\t\\\\\\n\\\\\\r\\\\\\x0b\\\\\\x0c]*|[\\\\x1b\\\\x07\\\\x00]*)[\\\\[\\\\<]?\\\\w+(?:(?:(?:[\\\\w+\\\\-]+)\\\\@)?(?:[\\\\w+\\\\-\\\\.]+))?:?(?:(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)|~(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)?)?[: ]?(?:(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)|~(?:(?:(?:[\\\\w\\\\+\\\\-\\\\._]+))?(?:/(?:[\\\\w\\\\+\\\\-\\\\._]+))*/?)?)?(?:\\\\((?:[\\\\w\\\\+\\\\-\\\\._]+)\\\\))?[\\\\]\\\\-]?[#>%\\\\$\\\\]] ?[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\!\\\\"\\\\#\\\\$\\\\%\\\\&\\\\\\\'\\\\(\\\\)\\\\*\\\\+\\\\,\\\\-\\\\.\\\\/\\\\:\\\\;\\\\<\\\\=\\\\>\\\\?\\\\@\\\\[\\\\\\\\\\\\]\\\\^\\\\_\\\\`\\\\{\\\\|\\\\}\\\\~\\\\ \\\\\\t\\\\\\n\\\\\\r\\\\\\x0b\\\\\\x0c]*\\\\Z\'']
ios: Protocol: driver replaced: generic -> ios
ios: Protocol.app_authenticate(): driver replaced
ios: waiting for: ['[\\r\\n][^\\r\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)', 'user ?name: ?$', u'(?:s\\/key|otp-md4) (\\d+) (\\S+)(?=\\s|[\\r\\n])', '(?:[\\r\\n][Pp]assword: ?|last resort password:)$', '[\\r\\n][\\-\\w+\\.:/]+(?:\\([^\\)]+\\))?[>#] ?$']
ios: Expecting a prompt
ios: Expected pattern: ["'[\\\\r\\\\n][^\\\\r\\\\n]*(?:bad secrets|denied|invalid|too short|incorrect|connection timed out|failed|failure)'", "'user ?name: ?$'", "u'(?:s\\\\/key|otp-md4) (\\\\d+) (\\\\S+)(?=\\\\s|[\\\\r\\\\n])'", "'(?:[\\\\r\\\\n][Pp]assword: ?|last resort password:)$'", "'[\\\\r\\\\n][\\\\-\\\\w+\\\\.:/]+(?:\\\\([^\\\\)]+\\\\))?[>#] ?$'"]
Traceback (most recent call last):
  File "/root/1test-ssh.sh", line 13, in <module>
    conn.login(cred)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 674, in login
    self.authenticate(account, flush=False)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 699, in authenticate
    self.app_authenticate(app_account, flush=flush)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 868, in app_authenticate
    self._app_authenticate(account, password, flush, bailout)
  File "/usr/local/lib/python2.7/dist-packages/Exscript/protocols/protocol.py", line 772, in _app_authenticate
    raise TimeoutException(msg)
Exscript.protocols.exception.TimeoutException: Buffer: **u''**

@knipknap
Copy link
Owner

This is may no longer apply with the latest version in master, since we essentially disabled the authentication hack. Could you please test again?

Another potential fix is being discussed in pull request #173.

@bigmars86
Copy link
Collaborator

The problem now is, that the generic driver has not enabled the hack enymore. There are some IOS devices which need the hack, but they are recognized as IOS after successful authentication:

generic: Rejecting ssh-rsa host key for <xxxx>: <xxxxxxx>
generic: Attempting to authenticate <xxxxxxx>.
generic: auth_none failed, supported: [u'publickey', u'keyboard-interactive', u'password']
generic: Authenticating with _paramiko_auth_agent
generic: Authentication with _paramiko_auth_agent failed: auth agent found no keys
generic: Authenticating with _paramiko_auth_autokey
generic: Trying key <xxxxxxxxxxxxxxxxxx> in /home/<xxxxxxxx>/.ssh/id_rsa
generic: Authentication with _paramiko_auth_autokey failed: Authentication failed.
generic: Authenticating with _paramiko_auth_interactive
generic: _paramiko_auth_interactive: SSHException: No existing session
generic: Authenticating with _paramiko_auth_password
generic: _paramiko_auth_password: SSHException: No existing session
Traceback (most recent call last):
  File "/usr/local/lib/to/to", line 675, in <module>
    device.get_conn().interact(keymap)
  File "/usr/lib/python2.7/site-packages/Exscript/protocols/ssh2.py", line 449, in interact
    return self._open_shell(self.shell, key_handlers, handle_window_size)
  File "/usr/lib/python2.7/site-packages/Exscript/protocols/protocol.py", line 1230, in _open_shell
    return self._open_posix_shell(channel, key_handlers, handle_window_size)
  File "/usr/lib/python2.7/site-packages/Exscript/protocols/protocol.py", line 1153, in _open_posix_shell
    handle_sigwinch(None, None)
  File "/usr/lib/python2.7/site-packages/Exscript/protocols/protocol.py", line 1151, in handle_sigwinch
    self._set_terminal_size(rows, cols)
  File "/usr/lib/python2.7/site-packages/Exscript/protocols/ssh2.py", line 446, in _set_terminal_size
    self.shell.resize_pty(cols, rows)
AttributeError: 'NoneType' object has no attribute 'resize_pty'

After enabling the hack for the generic driver, everything works:

class GenericDriver(Driver):

    def __init__(self):
        Driver.__init__(self, 'generic')
        self.reconnect_between_auth_methods = True

Now I don't know what should be the default behaviour, but it still has to be worked out.

@knipknap
Copy link
Owner

knipknap commented Sep 11, 2018
edited
Loading

@bigmars86 the issue that you are describing is unrelated to this bug. It's tracked in issue #166. I'll follow up there.

@JohnHay
Copy link

JohnHay commented Sep 23, 2019

EDIT

I'm getting better results when I bypass the multi-auth loop by changing line 283 of ssh2.py to call on auth_password intead of auth_none. This seems like it'll be a sufficient workaround for my current use-case, cisco ZTP.

self.client.auth_none(username)
self.client.auth_password(username, password)

I resorted to the same change and now login to all our routers work again. Maybe a bit of a background, our current setup is using exscript 2.4.8 and python 2.7. We have a variety of network equipment, from Alcatel (now Nokia) SAS-M/T, Arista, Cisco IOS and XR, Juniper and the odd Ocnos an Cumulus devices. I'm currently looking at moving our scripts to python 3.6 and exscript 2.6 (using the new FreeBSD package for it). Our old setup basically just set

ssh_conn.set_driver("generic")
ssh_conn.set_prompt(re.compile(r'(?:\A|[\r\n])\S+[#>] ?\Z'))

and worked everywhere. I see there are talks about making the login method settable, that would be great, if it will be a way to fix this problem.

@mwallraf
Copy link
Contributor

mwallraf commented Sep 24, 2020
edited
Loading

EDIT
Actually it was @derek-shnosh who made the first suggestion, thanks :-)

@JohnHay , thanks for your suggestion, we are taking 6000 backups per day from different kind of equipment (Cisco, OneAccess, Ciena, ..) and this always worked but after moving to a new redhat server with exscript 2.6.3 python 3.8 we had a few hundred devices with the exact same issue (fail on the auth_none() procedure). Debugging SSH and trying different options did not help in finding a solution .. It's actually a very strange problem because we have for example 2 identical hardware devices with identical software and configuration and on 1 router the backup will always work and on the other one it will always fail.

After patching the exscript ssh2.py file like you suggested all backups are now working again !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@knipknap @mwallraf @JohnHay @memogharib @derek-shnosh @bigmars86