Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Enable using only the SSH agent for private keys if asked. #634

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gaima8
Copy link

@gaima8 gaima8 commented Nov 23, 2023

jnpr (py-junos-eznc) will only ask the SSH agent for keys in certain circumstances, this allows you to override that and for it to ask an agent.

A PR for Juniper/py-junos-eznc will be made too. Relates to Juniper/py-junos-eznc#1284

@gaima8
Copy link
Author

gaima8 commented Nov 25, 2023

Probably superseded by Juniper/py-junos-eznc#1285

@chidanandpujar chidanandpujar self-requested a review November 29, 2023 15:41
@chidanandpujar
Copy link
Collaborator

Hi @gaima8
Thanks ,
Please share the test playbooks and execution results for review .
https://github.com/Juniper/ansible-junos-stdlib/tree/master/tests

Thanks

@gaima8
Copy link
Author

gaima8 commented Nov 29, 2023

$ grep -o ^IdentityFile ~/.ssh/config 
IdentityFile
$ ansible-playbook ....whatever....
...Unable to make a PyEZ connection: ConnectAuthError(........

The value of IdentityFile is an encrypted private key file.

In junos-eznc where self._conf_ssh_private_key_file is set by class _Connection._sshconf_lkup, causing self._ssh_private_key_file to be set by class Device.__init__, resulting in allow_agent being false causing netconf_ssh.connect to not use the agent.

All this change does is allow you to set force_agent, with Juniper/py-junos-eznc#1284 this just forces junos-eznc to set allow_agent to true in the call to ncclient.
By setting force_agent to True the playbook works.

As ncclient itself defaults to having allow_agent=True then Juniper/py-junos-eznc#1285 is probably a better fix as that simply stops junos-eznc from ever setting allow_agent to any other value.
However ssh does actually allow you to not use the ssh-agent (enable IdentitiesOnly to disable using the agent) so it is arguable whether junos-eznc should continue to allow the agent to be disabled. This PR gives you that same option, keeping the current behaviour intact.

  IdentitiesOnly
         Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in the ssh_config files or
         passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identities.  The argument to this keyword must be yes or no (the de‐
         fault).  This option is intended for situations where ssh-agent offers many different identities.

@chidanandpujar
Copy link
Collaborator

$ grep -o ^IdentityFile ~/.ssh/config 
IdentityFile
$ ansible-playbook ....whatever....
...Unable to make a PyEZ connection: ConnectAuthError(........

The value of IdentityFile is an encrypted private key file.

In junos-eznc where self._conf_ssh_private_key_file is set by class _Connection._sshconf_lkup, causing self._ssh_private_key_file to be set by class Device.__init__, resulting in allow_agent being false causing netconf_ssh.connect to not use the agent.

All this change does is allow you to set force_agent, with Juniper/py-junos-eznc#1284 this just forces junos-eznc to set allow_agent to true in the call to ncclient. By setting force_agent to True the playbook works.

As ncclient itself defaults to having allow_agent=True then Juniper/py-junos-eznc#1285 is probably a better fix as that simply stops junos-eznc from ever setting allow_agent to any other value. However ssh does actually allow you to not use the ssh-agent (enable IdentitiesOnly to disable using the agent) so it is arguable whether junos-eznc should continue to allow the agent to be disabled. This PR gives you that same option, keeping the current behaviour intact.

  IdentitiesOnly
         Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in the ssh_config files or
         passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identities.  The argument to this keyword must be yes or no (the de‐
         fault).  This option is intended for situations where ssh-agent offers many different identities.

Hi @gaima8
Thanks for sharing the info .
I will go through it and update you.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants