Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ConnectAuthError when trying to connect to SRX with SSH private key with passphrase and SSH-agent #1353

Open
Raimond56 opened this issue Dec 18, 2024 · 1 comment

Comments

@Raimond56
Copy link

Raimond56 commented Dec 18, 2024

Hello,

I need some help to troubleshoot why connecting with SSH key with passphrase is not working with SSH agent.
If I understand correctly if I have setup access to SRX with SSH keys and using SSH agent then junos-eznc should be able to read that information and connect to device.

Connection to SRX 4200 with version Junos: 21.4R3-S4.9
From ubuntu 22.04 with python 3.10 and junos-eznc 2.7.1

This is what I have in my .ssh/config file:

host 10.35.255.1
        IdentityFile ~/.ssh/privatekey
host *
        KexAlgorithms=+"diffie-hellman-group1-sha1,diffie-hellman-group14-sha1"
        PubkeyAcceptedAlgorithms=+"ssh-rsa"
        HostKeyAlgorithms=+"ssh-rsa"
        Ciphers=+"aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc"
        ServerAliveInterval=300
        ServerAliveCountMax=2
AddKeysToAgent yes

If I connect from command line it doesn't ask password and connects

rilves@raimondadmin:~$ ssh 10.35.255.1 -p 830 -s netconf
<!-- No zombies were killed during the creation of this user interface -->
<!-- user rilves, class j-super-user-local -->
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

If I try with the following python code

from pprint import pprint
from jnpr.junos import Device

with Device(host='10.35.255.1', user='rilves') as dev:
    pprint( dev.facts )

I get following error:

rilves@raimondadmin:~$ python3 test.py
Traceback (most recent call last):
  File "/home/rilves/.local/lib/python3.10/site-packages/jnpr/junos/device.py", line 1371, in open
    self._conn = netconf_ssh.connect(
  File "/home/rilves/.local/lib/python3.10/site-packages/ncclient/manager.py", line 187, in connect
    return connect_ssh(*args, **kwds)
  File "/home/rilves/.local/lib/python3.10/site-packages/ncclient/manager.py", line 139, in connect_ssh
    session.connect(*args, **kwds)
  File "/home/rilves/.local/lib/python3.10/site-packages/ncclient/transport/ssh.py", line 359, in connect
    self._auth(username, password, key_filenames, allow_agent, look_for_keys)
  File "/home/rilves/.local/lib/python3.10/site-packages/ncclient/transport/ssh.py", line 494, in _auth
    raise AuthenticationError(repr(saved_exception))
ncclient.transport.errors.AuthenticationError: SSHException('encountered EC key, expected OPENSSH key')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/rilves/test.py", line 5, in <module>
    with Device(host='10.35.255.1', user='rilves') as dev:
  File "/home/rilves/.local/lib/python3.10/site-packages/jnpr/junos/device.py", line 1476, in __enter__
    self.open()
  File "/home/rilves/.local/lib/python3.10/site-packages/jnpr/junos/device.py", line 1392, in open
    raise EzErrors.ConnectAuthError(self)
jnpr.junos.exception.ConnectAuthError: ConnectAuthError(10.35.255.1)

Everything works if I provide "passwd: " in the python script aswell. But would like to have key authentication.
Do I need to create OPENSSH key or could this be any other error and it just not getting my key for some reason ?

Thanks for help!

@Raimond56
Copy link
Author

Alright I did some more reading and checked out the first error line code "device.py"
And from that file I found this

            # we want to enable the ssh-agent if-and-only-if we are
            # not given a password or an ssh key file.
            # in this condition it means we want to query the agent
            # for available ssh keys

            allow_agent = bool(
                (self._auth_password is None) and (self._ssh_private_key_file is None)
            )

It seems that SSH agent only works when you don't give SSH key file and password defined anywhere. So I tested and removed my .ssh/config file and then the python code works and connects to device.

Is this expected behavior? Is it possible to set this in python to script to still have .ssh/config file the same?
Also if the key password is not yet in the SSH agent after new session it would also break. Shouldn't it still check the SSH key from .ssh/config and then ask for password if not in SSH agent already ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@Raimond56 and others