I am trying to connect to a Cisco SG350 switch via SSH using the Python Paramiko library. The goal is to be able to login using the public key of the computer the Python code is running on. The key is already stored on the switch. When connecting from a regular console window everything works fine. When trying to log in using a simple Paramiko script it returns that the connection is dead. For the console approach two line appear in the switches log: one rejection and one acceptance of a connection. For the Paramiko approach only the rejection appears.
Output when connecting via console (Successful):
# ssh -v [email protected]
OpenSSH_9.3p2, OpenSSL 1.1.1v 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1.RL
debug1: compat_banner: match: OpenSSH_7.3p1.RL pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.254:22 as 'sshUser'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group16-sha512
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-dss SHA256:JeZW4UsnKoC6FyJjZIDJOScGfqdbUuy0qMecByIUt7M
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.1.254' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
Authenticated to 192.168.1.254 ([192.168.1.254]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
S1>
Log output of cisco cli (read from console port)
27-Feb-2023 11:00:53 %AAA-W-REJECT: New sshpubkey connection, source 192.168.1.5 destination 192.168.1.254 REJECTED
27-Feb-2023 11:00:53 %AAA-I-CONNECT: User CLI session for user unKnown over ssh , source 192.168.1.5 destination 192.168.1.254 ACCEPTED
Code for paramiko connection
import paramiko
import sys
import logging
logging.basicConfig(stream=sys.stderr, level=logging.NOTSET)
host = "192.168.1.254"
username = "sshUser"
client = paramiko.client.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(host, username=username)
_stdin, _stdout,_stderr = client.exec_command("show version")
# print(_stdout.read().decode())
client.close()
Output from paramiko, execution gets stuck at the last line
# python3 para.py
DEBUG:paramiko.transport:starting thread (client mode): 0x8f3a3ad0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.12.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.3p1.RL
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.3p1.RL)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: diffie-hellman-group16-sha512, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
DEBUG:paramiko.transport:server key: ssh-rsa, ssh-dss
DEBUG:paramiko.transport:client encrypt: aes128-ctr, aes192-ctr, aes256-ctr, [email protected]
DEBUG:paramiko.transport:server encrypt: aes128-ctr, aes192-ctr, aes256-ctr, [email protected]
DEBUG:paramiko.transport:client mac: hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:server mac: hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:client compress: none
DEBUG:paramiko.transport:server compress: none
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: diffie-hellman-group16-sha512
DEBUG:paramiko.transport:HostKey: ssh-rsa
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexGroup16SHA512 specified hash_algo <built-in function openssl_sha512>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'rsa-sha2-256,rsa-sha2-512'}
DEBUG:paramiko.transport:Adding ssh-rsa host key for 192.168.1.254: b'2a42d41d33ac48fd4f81e2e88b29eaa1'
DEBUG:paramiko.transport:Trying discovered key b'deb44f3cac545cc75509fac02f2707cf' in /root/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['rsa-sha2-256', 'rsa-sha2-512']
DEBUG:paramiko.transport:Agreed upon 'rsa-sha2-512' pubkey algorithm
INFO:paramiko.transport:Authentication (publickey) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok
DEBUG:paramiko.transport:[chan 0] EOF sent (0)
DEBUG:paramiko.transport:Dropping user packet because connection is dead.
Log output of cisco cli (read from console port)
27-Feb-2023 11:04:22 %AAA-W-REJECT: New sshpubkey connection, source 192.168.1.5 destination 192.168.1.254 REJECTED
Notice the missing line for the acceptance of the ssh connection
Switch config looks like this
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
voice vlan state auto-triggered
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
hostname S1
line console
exec-timeout 30000 1
exit
line console
no autobaud
exit
aaa authentication login SSH none
aaa authentication enable SSH none
line ssh
login authentication SSH
enable authentication SSH
exit
username admin password encrypted $15$VNJYwze9yjygzbb0$Fz7s3qzUtnJQVWQDmW+I4n1E1D6ffKd4QPdaxSrhoUcnpwFMbfYrhJ0CvbghTfibUTNuszcFsFQTlEycYrAGYg5
ip ssh server
ip ssh pubkey-auth auto-login
crypto key pubkey-chain ssh
user-key sshUser rsa
key-string row AAAAB3NzaC1yc2EAAAADAQABAAABAQCihxDZZ+LK
key-string row AcS59My1qf1gTK5BGa8qp7J7nyhOwzTlYremujzQ
key-string row 8d9Lxr3mrWXNXy0DdykyRv1Aits6/DrJGAHvLnK+
key-string row f0XZ7fzFQw9vjD3Znfqz8+ZS19mF13y/
key-string row BufTMujnfKyZ2ZF3n+TKefWZd3TNOvmlJABn/Kuh
key-string row KPs3RhmUL6iizOGPfxD1oxL2nWOpK8mOemrHgalU
key-string row amnfXlwZQQVaHlF7lP/mUIae+iCezFlEFiP1UrSX
key-string row UCLCpAXCFNRIrpv+Zj6kXpAcemUdcODqNF4IJo4O
key-string row fXWMj7i/krrWaVMytfurqYCPV1tql6UExWqpaINo
key-string row YPm65pZJv3/zPcaNj/4x
exit
exit
ip domain name devnet.local
!
macro auto controlled
It seems like there is a problem with the authentication process of Paramiko with the switch. Am I overlooking an important setting?
Update 1 on request by Kenster:
# ssh -v [email protected] "show version"
OpenSSH_9.3p2, OpenSSL 1.1.1v 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1.RL
debug1: compat_banner: match: OpenSSH_7.3p1.RL pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.254:22 as 'sshUser'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group16-sha512
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-dss SHA256:JeZW4UsnKoC6FyJjZIDJOScGfqdbUuy0qMecByIUt7M
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.1.254' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
Authenticated to 192.168.1.254 ([192.168.1.254]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Sending command: show version
The console gets stuck at Sending command: show version, this matches with the result from the Paramiko script.
# ssh -vtt [email protected] "show version"
OpenSSH_9.3p2, OpenSSL 1.1.1v 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1.RL
debug1: compat_banner: match: OpenSSH_7.3p1.RL pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.254:22 as 'sshUser'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group16-sha512
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-dss SHA256:JeZW4UsnKoC6FyJjZIDJOScGfqdbUuy0qMecByIUt7M
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.1.254' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:VoMt79SZooVXlA/yQoJ3Hi11/sMJh0dhyNCJt49fXbw
Authenticated to 192.168.1.254 ([192.168.1.254]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Sending command: show version
how versionhow versionReceived disconnect from 192.168.1.254 port 22:2: flow error
Disconnected from 192.168.1.254 port 22
Both commands seem to not work.
After stumbling upon a completly unrelated post I tried using the ssh.invoke_shell() function which works for me. Therfore with the result of the two commands suggested by Kenster I assume that on the specific switch model the ssh exec channel is not implemented.