Paramiko - Bad Authentication Type [Cisco SG-300 S

2020-08-04 04:53发布

问题:

I use the configuration script over the ssh on the following link.The Script is not important, the important thing is that importing parmaiko module. But I added a link:

https://github.com/enessanal/NetConfPy/blob/master/netconf.py

And related piece of code:

import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
    ssh.connect(hostname=host,port=port,username=username,password=password,timeout=timeout)
except Exception as exception:
    print(str(exception))

The script run successfully all linux devices including old model HP switches except one device, Cisco SG-300 Switch. I think I understand the problem. The problem is about the Switch. This type of switches behave differently. When trying a normal ssh connection with ssh command or through Putty, two authentication mechanisms occur. First one is "Login as" and the other one is "username". We interested in the second one. But the program (paramiko client) can not bypass "login as" part. And throw "Bad authentication type" Exception for every time. How can I solve this problem? Or is there another method for automate configurations through ssh connection?

Debugging info:

OpenSSH_7.9p1 Debian-1, OpenSSL 1.1.1  11 Sep 2018

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 10.39.31.11 is address
debug2: ssh_connect_direct
debug1: Connecting to 10.39.31.11 [10.39.31.11] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1.RL
debug1: match: OpenSSH_7.3p1.RL pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 10.39.31.11:22 as 'root'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from 10.39.31.11
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 1001/2048
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:dS79N4clCGySrehvWW5kpCRgm3VXlYClD0pyoaYSNoQ
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from 10.34.35.11
debug1: Host '10.39.31.11' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:9
debug2: bits set: 1068/2048
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa 
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (none).

Authenticated to 10.39.31.11 ([10.39.31.11]:22).

debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x08
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_CONNECTION
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env USER
debug3: Ignored env PWD
debug3: Ignored env HOME
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SSH_TTY
debug3: Ignored env MAIL
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env SHLVL
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PATH
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0




User Name:wrong_credentils_don't_effect_the_logs
Password:***

User Name:cisco
Password:************

Switch1>exit
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug2: channel 0: output open -> drain
debug2: channel 0: chan_shutdown_read (i0 o1 sock -1 wfd 6 efd 8 [write])
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i3 o1 sock -1 wfd 7 efd 8 [write])
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/8 sock -1 cc -1)

debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Connection to 10.39.31.11 closed.
Transferred: sent 3552, received 2776 bytes, in 28.7 seconds
Bytes per second: sent 123.9, received 96.8
debug1: Exit status -1

And paramiko log file:

DEB [20181204-11:25:17.677] thr=1   paramiko.transport: starting thread (client mode): 0x3c1fed0
DEB [20181204-11:25:17.677] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20181204-11:25:17.695] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.3p1.RL
INF [20181204-11:25:17.695] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_7.3p1.RL)
DEB [20181204-11:25:18.015] thr=1   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: Kex agreed: diffie-hellman-group-exchange-sha1
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: HostKey agreed: ssh-rsa
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: MAC agreed: hmac-sha1
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: Compression agreed: none
DEB [20181204-11:25:18.027] thr=1   paramiko.transport: Got server p (2048 bits)
DEB [20181204-11:25:18.459] thr=1   paramiko.transport: kex engine KexGex specified hash_algo <built-in function openssl_sha1>
DEB [20181204-11:25:18.459] thr=1   paramiko.transport: Switch to new keys ...
DEB [20181204-11:25:18.460] thr=2   paramiko.transport: Adding ssh-rsa host key for 10.39.31.11: b'd6d12a09458873202a0e271b90d38a7d'
DEB [20181204-11:25:18.936] thr=1   paramiko.transport: userauth is OK
DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Authentication type (password) not permitted.
DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Allowed methods: ['']
DEB [20181204-11:25:18.941] thr=1   paramiko.transport: EOF in transport thread
DEB [20181204-11:25:18.946] thr=3   paramiko.transport: starting thread (client mode): 0x386b0f0
DEB [20181204-11:25:18.947] thr=3   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20181204-11:25:19.245] thr=3   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.3p1.RL
INF [20181204-11:25:19.245] thr=3   paramiko.transport: Connected (version 2.0, client OpenSSH_7.3p1.RL)
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: Kex agreed: diffie-hellman-group-exchange-sha1
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: HostKey agreed: ssh-rsa
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: MAC agreed: hmac-sha1
DEB [20181204-11:25:19.567] thr=3   paramiko.transport: Compression agreed: none
DEB [20181204-11:25:19.576] thr=3   paramiko.transport: Got server p (2048 bits)
DEB [20181204-11:25:19.946] thr=3   paramiko.transport: kex engine KexGex specified hash_algo <built-in function openssl_sha1>
DEB [20181204-11:25:19.946] thr=3   paramiko.transport: Switch to new keys ...
DEB [20181204-11:25:19.947] thr=2   paramiko.transport: Adding ssh-rsa host key for 10.39.31.11: b'd6d12a09458873202a0e271b90d38a7d'
DEB [20181204-11:25:20.486] thr=3   paramiko.transport: userauth is OK
DEB [20181204-11:25:20.491] thr=3   paramiko.transport: Authentication type (password) not permitted.
DEB [20181204-11:25:20.491] thr=3   paramiko.transport: Allowed methods: ['']
DEB [20181204-11:25:20.492] thr=3   paramiko.transport: EOF in transport thread

The exception string program throws:

[*] Testing connection...
[*] Getting banner...
[+] Banner => SSH-2.0-OpenSSH_7.3p1.RL
[-] Failed to connect => 10.39.31.11:22 (('Bad authentication type', ['']) (allowed_types=['']))
[*] Exiting...

Thank you very much.

Cisco ssh connection screen

回答1:

The server (switch) does not support any SSH authentication methods:

DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Authentication type (password) not permitted.
DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Allowed methods: ['']

It actually uses simple I/O (Telnet-like) to prompt for credentials.

As you instructed Paramiko to use standard SSH password authentication (by providing a password to SSHClient.connect()), it fails.

Paramiko (contrary to ssh) does not support "none" authentication (or not directly).

Though this may work:

  • Do not provide password to SSHClient.connect()
  • SSHClient.connect() should fail with SSHException('No authentication methods available') - swallow that exception
  • Now you are connected to the server, but not authenticated. To authenticate using "none" SSH authentication, call Transport.auth_none():

    ssh.get_transport().auth_none(username)
    

Now you should be "authenticated", as far as SSH is concerned. The same way, ssh believes it's authenticated, even before you get any prompt for credentials:

debug1: Authentication succeeded (none).

Authenticated to 10.39.31.11 ([10.39.31.11]:22).

...

User Name:wrong_credentils_don't_effect_the_logs
Password:***

User Name:cisco
Password:************

Then, if you attempt to open "shell" using SSHClient.invoke_shell() (and maybe also if you attempt to execute a command using SSHClient.exec_command() - though I would assume that the server won't support this interface), the server will prompt you for a username and a password using I/O.

Try to provide the credentials this way:

channel = ssh.invoke_shell()
channel.send(username + "\n")
channel.send(password + "\n")

(you may need to wait for prompts before feeding credentials [expect-like], if the server won't accept them, when provided immediately).


Obligatory warning: Do not use AutoAddPolicy, unless you do not care about security. You are losing a protection against MITM attacks this way.
For a correct solution, see Paramiko "Unknown Server".



回答2:

Add the following to your Cisco SG3XX config:

ip ssh password-auth

This will use SSH password authentication that paramiko expects, instead of using shell-based authentication.