Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Is it possible to choose a KEX algorithm for a ssh connection?
See original GitHub issueHello Kirk Please can you help me with my task? I have a banch of Huawei s5720 switches the default KeyExchange algorithm diffie-hellman-group-exchange-sha1 takes almost 20 secs to compute a shared key on a switch side
I have found a workaround - to use another kex: diffie-hellman-group1-sha1 with that kex a connection comes up instantly
Now I want to make a script to fetch some data from many switches. It would be great if I could use that kex in my script
Is there a way to transfer some kex options to paramiko from netmiko or maybe from napalm?
I’ve tried to pass ssh_config_file as an optional_args but with no success
this is what I was trying to do
my code:
import napalm
import logging
logging.basicConfig(filename='test.log', level=logging.DEBUG)
logger = logging.getLogger("netmiko")
def play_napalm(platform):
driver = napalm.get_network_driver(platform)
with driver(host, user, pasw, optional_args={'ssh_config_file': 'ssh_config'}) as device:
device.open()
ssh_config:
Host 192.168.98.1
KexAlgorithms diffie-hellman-group1-sha1
Ciphers +aes128-cbc
Debug:
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.7.1
3 DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0--
4 INFO:paramiko.transport:Connected (version 2.0, client -)
5 DEBUG:paramiko.transport:kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-dss', 'ssh-rsa'] client encrypt:['aes256-ctr', 'a es128-ctr', 'aes256-cbc', 'aes128-cbc', '3des-cbc'] server encrypt:['aes256-ctr', 'aes128-ctr', 'aes256-cbc', 'aes128-cbc', '3des-cbc'] client mac:['hmac-sha2-256', 'hmac-sha2-256-96', 'hmac-sha1', 'hm ac-sha1-96', 'hmac-md5', 'hmac-md5-96'] server mac:['hmac-sha2-256', 'hmac-sha2-256-96', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] client compress:['none', 'zlib'] server compress:['none' , 'zlib'] client lang:[''] server lang:[''] kex follows?False
6 DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group-exchange-sha1
Another option is to use telnet but the current huawei_vrp driver (0.1.5) uses old netmiko that doesn’t support telnet for Huawei
I was trying to dig the paramiko options myself and I have found that option disabled_algorithms={“kex”: [“diffie-hellman-group-exchange-sha1”]} that should be passed to the paramiko.transport.Transport Object.
But I have no idea how to pass it from within netmiko Any help would be appreciated
With regards, Nikolay Ryzhkov
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I overcomplicated the solution above, you should just be able to do the following:
Note, it is possible that you might want to save the Paramiko default _preferred_kex and restore them after you have connected to device(s) that has the specific KEX requirement.
I do not understand how to do this either. Some documentation on how to make this work from ConnectHandler instantiation (if possible) would be really great.
Right now I really do not see any way to do this except to subclass
CiscoSSHConnectionand somehow make ssh_dispatcher.py aware of my new class. That seems fairly complex to be able to do this.Edit:
I think you can just pass
autoconnect=Falseto ConnectHandler, and then set the paramiko.Transport settings anywhere. As long as you set the paramiko settings anywhere in your script before you connect, I think this works.