gaima8
commented
9 months ago Probably superseded by https://github.com/Juniper/py-junos-eznc/pull/1285
Open gaima8 opened 9 months ago
gaima8
commented
9 months ago Probably superseded by https://github.com/Juniper/py-junos-eznc/pull/1285
chidanandpujar
commented
9 months ago Hi @gaima8 Thanks , Please share the test playbooks and execution results for review . https://github.com/Juniper/ansible-junos-stdlib/tree/master/tests
Thanks
gaima8
commented
9 months ago $ grep -o ^IdentityFile ~/.ssh/config
IdentityFile
$ ansible-playbook ....whatever....
...Unable to make a PyEZ connection: ConnectAuthError(........The value of IdentityFile is an encrypted private key file.
In junos-eznc where self._conf_ssh_private_key_file is set by class _Connection._sshconf_lkup, causing self._ssh_private_key_file to be set by class Device.__init__, resulting in allow_agent being false causing netconf_ssh.connect to not use the agent.
All this change does is allow you to set force_agent, with https://github.com/Juniper/py-junos-eznc/pull/1284 this just forces junos-eznc to set allow_agent to true in the call to ncclient.
By setting force_agent to True the playbook works.
As ncclient itself defaults to having allow_agent=True then https://github.com/Juniper/py-junos-eznc/pull/1285 is probably a better fix as that simply stops junos-eznc from ever setting allow_agent to any other value. However ssh does actually allow you to not use the ssh-agent (enable IdentitiesOnly to disable using the agent) so it is arguable whether junos-eznc should continue to allow the agent to be disabled. This PR gives you that same option, keeping the current behaviour intact.
IdentitiesOnly
Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in the ssh_config files or
passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identities. The argument to this keyword must be yes or no (the de‐
fault). This option is intended for situations where ssh-agent offers many different identities.$ grep -o ^IdentityFile ~/.ssh/config IdentityFile $ ansible-playbook ....whatever.... ...Unable to make a PyEZ connection: ConnectAuthError(........The value of
IdentityFileis an encrypted private key file.In junos-eznc where
self._conf_ssh_private_key_fileis set byclass _Connection._sshconf_lkup, causingself._ssh_private_key_fileto be set byclass Device.__init__, resulting inallow_agentbeing false causingnetconf_ssh.connectto not use the agent.All this change does is allow you to set force_agent, with Juniper/py-junos-eznc#1284 this just forces junos-eznc to set allow_agent to true in the call to ncclient. By setting
force_agentto True the playbook works.As ncclient itself defaults to having allow_agent=True then Juniper/py-junos-eznc#1285 is probably a better fix as that simply stops junos-eznc from ever setting allow_agent to any other value. However ssh does actually allow you to not use the ssh-agent (enable IdentitiesOnly to disable using the agent) so it is arguable whether junos-eznc should continue to allow the agent to be disabled. This PR gives you that same option, keeping the current behaviour intact.
IdentitiesOnly Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identities. The argument to this keyword must be yes or no (the de‐ fault). This option is intended for situations where ssh-agent offers many different identities.
Hi @gaima8 Thanks for sharing the info . I will go through it and update you.
Thanks
jnpr (py-junos-eznc) will only ask the SSH agent for keys in certain circumstances, this allows you to override that and for it to ask an agent.
~A PR for Juniper/py-junos-eznc will be made too.~ Relates to https://github.com/Juniper/py-junos-eznc/pull/1284