Cisco Catalyst 4500: Illegal info request from server

I can login via SSH manually, but when I try to use Netmiko:

2018-08-08 11:38:47,343 DEBUG:starting thread (client mode): 0xfe9c1f60
2018-08-08 11:38:47,343 DEBUG:Local version/idstring: SSH-2.0-paramiko_2.4.1
2018-08-08 11:38:47,343 DEBUG:Remote version/idstring: SSH-2.0-Cisco-1.25
2018-08-08 11:38:47,343 INFO:Connected (version 2.0, client Cisco-1.25)
2018-08-08 11:38:47,346 DEBUG:kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc'] server encrypt:['aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc'] client mac:['hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] server mac:['hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
2018-08-08 11:38:47,346 DEBUG:Kex agreed: diffie-hellman-group-exchange-sha1
2018-08-08 11:38:47,346 DEBUG:HostKey agreed: ssh-rsa
2018-08-08 11:38:47,346 DEBUG:Cipher agreed: aes128-cbc
2018-08-08 11:38:47,347 DEBUG:MAC agreed: hmac-sha1
2018-08-08 11:38:47,347 DEBUG:Compression agreed: none
2018-08-08 11:38:47,550 DEBUG:Got server p (2048 bits)
2018-08-08 11:38:48,151 DEBUG:kex engine KexGex specified hash_algo <built-in function openssl_sha1>
2018-08-08 11:38:48,152 DEBUG:Switch to new keys ...
2018-08-08 11:38:48,153 DEBUG:Adding ssh-rsa host key for [redacted-ip] b'49ad87fe4d118f6ae351c300d9532fe7'
2018-08-08 11:38:48,350 DEBUG:userauth is OK
2018-08-08 11:38:48,350 INFO:Auth banner: b'\r\n+----------------------------------------------------------------------+\r\n|                                                                      |\r\n|         You are entering a restricted area.                          |\r\n|                                                                      |\r\n|    Do not try to login if you are not authorized.                    |\r\n|                                                                      |\r\n+----------------------------------------------------------------------+\r\n'
2018-08-08 11:38:48,399 ERROR:Exception: Illegal info request from server
2018-08-08 11:38:48,403 ERROR:Traceback (most recent call last):
2018-08-08 11:38:48,404 ERROR:  File "/usr/lib/python3.6/site-packages/paramiko/transport.py", line 1949, in run
2018-08-08 11:38:48,404 ERROR:    handler(self.auth_handler, m)
2018-08-08 11:38:48,404 ERROR:  File "/usr/lib/python3.6/site-packages/paramiko/auth_handler.py", line 622, in _parse_userauth_info_request
2018-08-08 11:38:48,404 ERROR:    raise SSHException('Illegal info request from server')
2018-08-08 11:38:48,404 ERROR:paramiko.ssh_exception.SSHException: Illegal info request from server

So authentication seems to be working (userauth is OK).

My code:

from netmiko import ConnectHandler

def getsshoverpasswd(ip, username, password, device_type):
node = {
'device_type': device_type,
'ip': ip,
'username': username,
'password': password,
'timeout': 8,
}
ssh = ConnectHandler(**node)

return(ssh)

s = netmiko.getsshoverpasswd(locations[location]['ipv4'], ssh.ssh_user, passwd, "cisco_xe")
trunk_vlans = s.send_command("show vlan")

Python 3.6.4 Netmiko 2.1.1

@rbeumer I wonder if it is the banner that causes the issue?

+----------------------------------------------------------------------+
         You are entering a restricted area.                                           
    Do not try to login if you are not authorized.                  
 +----------------------------------------------------------------------+

I wonder if Paramiko doesn't like it if that message happens before the SSH login, but is fine with it if it occurs after the SSH login.

Definitely speculation on my part.

It would be an interesting test to perform (i.e. completely remove the banner as a test and see what happens).

I disabled the login the banner for testing purposes, still the same error:

2018-08-09 08:14:15,223 DEBUG:starting thread (client mode): 0xfe44c3c8
2018-08-09 08:14:15,224 DEBUG:Local version/idstring: SSH-2.0-paramiko_2.4.1
2018-08-09 08:14:15,226 DEBUG:Remote version/idstring: SSH-2.0-Cisco-1.25
2018-08-09 08:14:15,226 INFO:Connected (version 2.0, client Cisco-1.25)
2018-08-09 08:14:15,228 DEBUG:kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc'] server encrypt:['aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc'] client mac:['hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] server mac:['hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] client compress:['none'] server compress:['none'] client ng:[''] server lang:[''] kex follows?False
2018-08-09 08:14:15,228 DEBUG:Kex agreed: diffie-hellman-group-exchange-sha1
2018-08-09 08:14:15,228 DEBUG:HostKey agreed: ssh-rsa
2018-08-09 08:14:15,228 DEBUG:Cipher agreed: aes128-cbc
2018-08-09 08:14:15,228 DEBUG:MAC agreed: hmac-sha1
2018-08-09 08:14:15,228 DEBUG:Compression agreed: none
2018-08-09 08:14:15,231 DEBUG:Got server p (2048 bits)
2018-08-09 08:14:15,820 DEBUG:kex engine KexGex specified hash_algo <built-in function openssl_sha1>
2018-08-09 08:14:15,821 DEBUG:Switch to new keys ...
2018-08-09 08:14:15,822 DEBUG:Adding ssh-rsa host key for [redacted-ip]: b'49ad87fe4d118f6ae351c300d9532fe7'
2018-08-09 08:14:16,025 DEBUG:userauth is OK
2018-08-09 08:14:16,033 ERROR:Exception: Illegal info request from server
2018-08-09 08:14:16,035 ERROR:Traceback (most recent call last):
2018-08-09 08:14:16,035 ERROR:  File "/usr/lib/python3.6/site-packages/paramiko/transport.py", line 1949, in run
2018-08-09 08:14:16,036 ERROR:    handler(self.auth_handler, m)
2018-08-09 08:14:16,036 ERROR:  File "/usr/lib/python3.6/site-packages/paramiko/auth_handler.py", line 622, in _parse_userauth_info_request
2018-08-09 08:14:16,036 ERROR:    raise SSHException('Illegal info request from server')
2018-08-09 08:14:16,036 ERROR:paramiko.ssh_exception.SSHException: Illegal info request from server
2018-08-09 08:14:16,036 ERROR:
Traceback (most recent call last):
 File "./main.py", line 73, in <module>
   main()
 File "./main.py", line 69, in main
   get_trunk_vlans(node_dict)
 File "./main.py", line 53, in get_trunk_vlans
   s = netmiko.getsshoverpasswd(locations[location]['ipv4'], ssh.ssh_user, passwd, "cisco_xe")
 File "/home/[username]/git/sg-tools/common/netmiko.py", line 13, in getsshoverpasswd
   ssh = ConnectHandler(**node)
 File "/usr/lib/python3.6/site-packages/netmiko/ssh_dispatcher.py", line 178, in ConnectHandler
   return ConnectionClass(*args, **kwargs)
 File "/usr/lib/python3.6/site-packages/netmiko/base_connection.py", line 207, in __init__
   self.establish_connection()
 File "/usr/lib/python3.6/site-packages/netmiko/base_connection.py", line 689, in establish_connection
   self.remote_conn_pre.connect(**ssh_connect_params)
 File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 424, in connect
   passphrase,
 File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 714, in _auth
   raise saved_exception
 File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 701, in _auth
   self._transport.auth_password(username, password)
 File "/usr/lib/python3.6/site-packages/paramiko/transport.py", line 1381, in auth_password
   return self.auth_handler.wait_for_response(my_event)
 File "/usr/lib/python3.6/site-packages/paramiko/auth_handler.py", line 212, in wait_for_response
   raise e
 File "/usr/lib/python3.6/site-packages/paramiko/transport.py", line 1949, in run
   handler(self.auth_handler, m)
 File "/usr/lib/python3.6/site-packages/paramiko/auth_handler.py", line 622, in _parse_userauth_info_request
   raise SSHException('Illegal info request from server')
paramiko.ssh_exception.SSHException: Illegal info request from server

Does a debug log help? The only thing I can think of is that the ciphers are outdated:

$ ssh [redacted ip] -l [redacted username] -oCiphers=aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -vvv
OpenSSH_7.7p1, OpenSSL 1.0.2o  27 Mar 2018
debug2: resolve_canonicalize: hostname [redacted ip] is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to [redacted ip] [[redacted ip]] port 22.
debug1: Connection established.
debug1: identity file /home/[redacted username]/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/[redacted username]/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to [redacted ip]:22 as '[redacted username]'
debug3: hostkeys_foreach: reading file "/home/[redacted username]/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<4096<8192) sent
debug3: receive packet: type 31
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 2044/4096
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug3: receive packet: type 33
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:Wa5AgpKK4SBtz/Ydw0C2QJ4Oak6iOyfJAw+sMDWr2Js
debug3: hostkeys_foreach: reading file "/home/[redacted username]/.ssh/known_hosts"
The authenticity of host '[redacted ip] ([redacted ip])' can't be established.
RSA key fingerprint is SHA256:Wa5AgpKK4SBtz/Ydw0C2QJ4Oak6iOyfJAw+sMDWr2Js.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[redacted ip]' (RSA) to the list of known hosts.
debug2: bits set: 2057/4096
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /home/[redacted username]/.ssh/id_rsa (0x600061820)
debug2: key: /home/[redacted username]/.ssh/id_dsa (0x0)
debug2: key: /home/[redacted username]/.ssh/id_ecdsa (0x0)
debug2: key: /home/[redacted username]/.ssh/id_ed25519 (0x0)
debug2: key: /home/[redacted username]/.ssh/id_xmss (0x0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner

+----------------------------------------------------------------------+
|                                                                      |
|         You are entering a restricted area.                          |
|                                                                      |
|    Do not try to login if you are not authorized.                    |
|                                                                      |
+----------------------------------------------------------------------+
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug3: start over, passed a different list publickey,keyboard-interactive,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:JUxJd04DhFtpvuERT29L5wHZIVlD7kWBGEWchWMGlWM /home/[redacted username]/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Trying private key: /home/[redacted username]/.ssh/id_dsa
debug3: no such identity: /home/[redacted username]/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/[redacted username]/.ssh/id_ecdsa
debug3: no such identity: /home/[redacted username]/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/[redacted username]/.ssh/id_ed25519
debug3: no such identity: /home/[redacted username]/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/[redacted username]/.ssh/id_xmss
debug3: no such identity: /home/[redacted username]/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
TACACS-Password>
debug3: send packet: type 61
debug3: receive packet: type 52
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to [redacted ip] ([[redacted ip]]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 8192 rmax 4096
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

@rbeumer Which version of Paramiko do you have installed? Want to look at their source code and knowing this will make it easier for me to use the stack trace.

Kirk

@ktbyers paramiko version 2.4.1

I will have to look at it more. This is an error that happens with Cisco IOS in certain contexts, but I will have to dig into it more. From past experience, it is probably going to be hard to solve.

Especially since I can't reproduce the problem.

Curious if this is still a problem/reproducible on Paramiko 2.4.2 and netmiko 2.3.3? Going to close as this is pretty old, but please re-open and let us know if its still happening on the newer versions. Not sure there will be a ton to do since it will be hard to figure out w/out being able to reproduce, but at least we'll all know :)

ktbyers / netmiko

Cisco Catalyst 4500: Illegal info request from server #904