Failed SSH Key Based Authentication for older Junos Versions
leonkramer opened this issue · 2 comments
Issue Type
- Bug Report
Module Name
- paramiko
% pip3 freeze
bcrypt==4.0.0
cffi==1.15.1
cryptography==38.0.1
Jinja2==3.1.2
junos-eznc==2.6.5
jxmlease==1.0.3
lxml==4.9.1
MarkupSafe==2.1.1
ncclient==0.6.13
netaddr==0.8.0
paramiko==2.11.0
pycparser==2.21
PyNaCl==1.5.0
pyparsing==3.0.9
pyserial==3.5
PyYAML==6.0
scp==0.14.4
six==1.16.0
transitions==0.9.0
xmltodict==0.13.0
yamlordereddictloader==0.4.0
ansible [core 2.13.4]
config file = None
configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
jinja version = 3.1.2
libyaml = True
OS / Environment
Juniper EX3300 @ 15.1R7-S7.1
Summary
Ansible SSH connection fails with Authentication Error, even though normal SSH connection in terminal works flawless.
Steps to reproduce
Install paramiko with version >= 2.9 and run ansible playbook on older Junos versions
Expected results
SSH connection should work
Actual results
ansible-playbook [core 2.13.4]
config file = /Users/user/Ansible/network/ansible.cfg
configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible-playbook
python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
jinja version = 3.1.2
libyaml = True
Using /Users/user/Ansible/network/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
script declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
auto declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
Set default localhost to localhost
Not replacing invalid character(s) "{'-'}" in group name (acc-fra3)
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Not replacing invalid character(s) "{'-'}" in group name (acc-fra3)
Parsed /Users/user/Ansible/network/inventory/hosts inventory source with ini plugin
Loading collection juniper.device from /Users/user/.ansible/collections/ansible_collections/juniper/device
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading collection community.general from /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections/community/general
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading callback plugin community.general.yaml of type stdout, v2.0 from /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections/community/general/plugins/callback/yaml.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: junos-build-conf-system-login.yml **********************************************************************************************************************************************************************************************************************************
Positional arguments: playbooks/py3/junos-build-conf-system-login.yml
verbosity: 4
remote_user: user
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
check: True
diff: True
inventory: ('/Users/user/Ansible/network/inventory',)
subset: sw1*
forks: 5
1 plays in playbooks/py3/junos-build-conf-system-login.yml
PLAY [Build FC specific configuration for user accounts] *********************************************************************************************************************************************************************************************************************
META: ran handlers
TASK [Apply configuration] ***************************************************************************************************************************************************************************************************************************************************
task path: /Users/user/Ansible/network/playbooks/py3/junos-build-conf-system-login.yml:22
<sw1.fra1.de.xxx> ESTABLISH LOCAL CONNECTION FOR USER: user
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'echo ~user && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/user/.ansible/tmp `"&& mkdir "` echo /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414 `" && echo ansible-tmp-1664956830.1051679-45538-253611735395414="` echo /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414 `" ) && sleep 0'
<sw1.fra1.de.xxx> Attempting python interpreter discovery
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'python3.10'"'"'; command -v '"'"'python3.9'"'"'; command -v '"'"'python3.8'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<sw1.fra1.de.xxx> Python interpreter discovery fallback (unsupported platform for extended discovery: darwin)
Using module file /Users/user/.ansible/collections/ansible_collections/juniper/device/plugins/modules/config.py
<sw1.fra1.de.xxx> PUT /Users/user/.ansible/tmp/ansible-local-455359e1aisdu/tmpnsgab33_ TO /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'chmod u+x /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/ /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c '/opt/homebrew/bin/python3.10 /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'rm -f -r /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/var/folders/cc/4gpk7x9d63l2z0lzy_j6g9m80000gn/T/ansible_config_payload_83lieeua/ansible_config_payload.zip/ansible_collections/juniper/device/plugins/module_utils/juniper_junos_common.py", line 1077, in open
self.dev.open()
File "/opt/homebrew/lib/python3.10/site-packages/jnpr/junos/device.py", line 1382, in open
raise EzErrors.ConnectAuthError(self)
[WARNING]: Platform darwin on host sw1.fra1.de.xxx is using the discovered Python interpreter at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter could change the meaning of that path. See
https://docs.ansible.com/ansible-core/2.13/reference_appendices/interpreter_discovery.html for more information.
fatal: [sw1.fra1.de.xxx]: FAILED! => changed=false
ansible_facts:
discovered_interpreter_python: /opt/homebrew/bin/python3.10
invocation:
module_args:
attempts: null
baud: null
check: null
check_commit_wait: null
comment: 'Ansible: Update Users'
commit: null
commit_empty_changes: false
config_mode: exclusive
confirmed: null
console: null
cs_passwd: null
cs_user: null
dest: null
dest_dir: null
diff: null
diffs_file: null
filter: null
format: text
host: sw1.fra1.de.xxx
ignore_warning:
- 'True'
level: null
lines: null
load: replace
logdir: null
logfile: null
mode: null
model: null
namespace: null
options: {}
passwd: null
port: 830
remove_ns: null
retrieve: null
return_output: true
rollback: null
src: /Users/user/Ansible/network/tmp/junos-system-login.conf
ssh_config: null
ssh_private_key_file: null
template: null
timeout: 180
url: null
user: user
vars: null
msg: 'Unable to make a PyEZ connection: ConnectAuthError(sw1.fra1.de.xxx)'
Switch Message Log:
Oct 5 09:44:49 sw1.fra1.xxx sshd[19734]: userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 [preauth]
More Info
The issue is related to paramiko and discussed at paramiko/paramiko#1961. Apparently paramiko chooses a preferred algorithm if it does not receive a "server-sig-algs" from the server. That preferred algorithm is rsa-sha2-512 which is not supported by older Junos versions.
In the case of Junos legacy support device, Kindly use paramiko 1.15.2 version.
Hi @leonkramer
Thanks,
Please try the suggested option by Dinesh .
In the case of Junos legacy support device, Kindly use paramiko 1.15.2 version.
Thanks