IOSXR_NETCONF: Certain SSH arguments not supported

[ghost]

IOSXR_NETCONF SSHException, optional args do not work

When connecting via iosxr_netconf I get an exception:

napalm.base.exceptions.ConnectionException: SSHException('No existing session')

I can get it to work by modifying iosxr_netconf.py to force it to use the optional args:

                hostkey_verify=False,
                look_for_keys=False, 
                allow_agent=False,

But iosxr_netconf doesn't use those optional args if you attempt to supply them using

--optional_args 'hostkey_verify=False, look_for_keys=False, allow_agent=False'

Also doesn't work if you use them via optional args in the driver init.

Did you follow the steps from https://github.com/napalm-automation/napalm#faq

(Place an x between the square brackets where applicable)

• [x] Yes
• [] No

Setup

napalm version

(Paste verbatim output from pip freeze | grep napalm between quotes below)

-e git+https://github.com/napalm-automation/napalm.git@be82be0651a0a3cef7388f9b0af0205e9f1f8d10#egg=napalm

Network operating system version

(Paste verbatim output from show version - or equivalent - between quotes below)

Cisco IOS XR Software, Version 6.5.3[Default]

cisco ASR9K Series (P4040) processor with 8388608K bytes of memory.
P4040 processor at 1500MHz, Revision 2.0
ASR-9001 Chassis

Steps to Reproduce the Issue

napalm --vendor iosxr_netconf --user $user --password $pw $host call get_facts

Error Traceback

(Paste the complete traceback of the exception between quotes below)

================= Traceback =================

Traceback (most recent call last):
  File "/Users/gagne/dev/napalm/napalm/napalm/iosxr_netconf/iosxr_netconf.py", line 84, in open
    self.device = manager.connect(
  File "/Users/gagne/.pyenv/versions/3.8.7/lib/python3.8/site-packages/ncclient/manager.py", line 168, in connect
    return connect_ssh(*args, **kwds)
  File "/Users/gagne/.pyenv/versions/3.8.7/lib/python3.8/site-packages/ncclient/manager.py", line 135, in connect_ssh
    session.connect(*args, **kwds)
  File "/Users/gagne/.pyenv/versions/3.8.7/lib/python3.8/site-packages/ncclient/transport/ssh.py", line 362, in connect
    self._auth(username, password, key_filenames, allow_agent, look_for_keys)
  File "/Users/gagne/.pyenv/versions/3.8.7/lib/python3.8/site-packages/ncclient/transport/ssh.py", line 464, in _auth
    raise AuthenticationError(repr(saved_exception))
ncclient.transport.errors.AuthenticationError: SSHException('No existing session')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/gagne/.pyenv/versions/3.8.7/bin/napalm", line 33, in <module>
    sys.exit(load_entry_point('napalm', 'console_scripts', 'napalm')())
  File "/Users/gagne/dev/napalm/napalm/napalm/base/clitools/cl_napalm.py", line 308, in main
    run_tests(args)
  File "/Users/gagne/dev/napalm/napalm/napalm/base/clitools/cl_napalm.py", line 283, in run_tests
    call_open_device(device)
  File "/Users/gagne/dev/napalm/napalm/napalm/base/clitools/cl_napalm.py", line 27, in wrapper
    r = func(*args, **kwargs)
  File "/Users/gagne/dev/napalm/napalm/napalm/base/clitools/cl_napalm.py", line 207, in call_open_device
    return device.open()
  File "/Users/gagne/dev/napalm/napalm/napalm/iosxr_netconf/iosxr_netconf.py", line 98, in open
    raise ConnectionException(conn_err.args[0])
napalm.base.exceptions.ConnectionException: SSHException('No existing session')

[ktbyers]

FYI @neelimapp

[ghost]

Also if anyone knows why these ssh args were even required, and if there's something I can do to not require them, I would be interested.

[ktbyers]

@d-gagne allow_agent should probably default to False.

The other two are better security i.e. you potentially shouldn't blindly trust SSH host keys.

[ghost]

How do I explicitly trust the SSH host keys?

[ktbyers]

You securely put the "known SSH hosts" in a file and you tell your SSH library that the hosts whose identities are specified in that file are trusted.

[Tree2w63]

I'm seeing this exact same message (authentication failure) when running from a script as well, I have noted the following, which may be a pointer to the base issue though, let me know if you need more info.

This works --> ssh -p 830 -s admin@xr.device.com netconf This fails --> ssh -p 830 admin@xr.device.com netconf

The '-s' --> straight from the man page -s May be used to request invocation of a subsystem on the remote system. Subsystems facilitate the use of SSH as a secure trans‐ port for other applications (e.g. sftp(1)). The subsystem is specified as the remote command.

Above command error Password: Received disconnect from xr.device.com port 830:11: Disconnected from xr.device.com port 830

Error from the script mirrors the above error. Salient point from it --> raise AuthenticationError(repr(saved_exception)) ncclient.transport.errors.AuthenticationError: SSHException('No existing session',)

Device ver: Wed Jul 7 03:41:47.121 UTC Cisco IOS XR Software, Version 7.1.3 Copyright (c) 2013-2020 by Cisco Systems, Inc.

Build Information: Built By : gopalk2 Built On : Thu Nov 26 10:51:48 PST 2020 Built Host : iox-ucs-027 Workspace : /auto/srcarchive17/prod/7.1.3/asr9k-x64/ws Version : 7.1.3 Location : /opt/cisco/XR/packages/ Label : 7.1.3

cisco ASR9K () processor System uptime is 11 weeks 6 days 7 hours 22 minutes

pip freeze | grep napalm napalm==3.3.1

[ktbyers]

@Tree2w63 Your message/issue sounds unrelated to NAPALM's IOS-XR driver? What is the relevance of your post here?

[Tree2w63]

Script fails at open from napalm import get_network_driver

optional_args = {

'allow_agent': True,

#'config_encoding': 'xml',
'config_encoding': 'cli',
#'port': 830,

} device = { "hostname": "xr.device.com", "username": "admin", "password": "password",

"optional_args": optional_args,

}

driver = get_network_driver("iosxr_netconf") dev = driver(**device) dev.open()

Here is the complete output from above

]# bin/test_iosxr_netconf.py SSHException('No existing session',) Traceback (most recent call last): File "/opt/ConfigAuto/lib64/python3.6/site-packages/napalm/iosxr_netconf/iosxr_netconf.py", line 93, in open device_params={"name": "iosxr"}, File "/opt/ConfigAuto/lib64/python3.6/site-packages/ncclient/manager.py", line 168, in connect return connect_ssh(*args, *kwds) File "/opt/ConfigAuto/lib64/python3.6/site-packages/ncclient/manager.py", line 135, in connect_ssh session.connect(args, **kwds) File "/opt/ConfigAuto/lib64/python3.6/site-packages/ncclient/transport/ssh.py", line 362, in connect self._auth(username, password, key_filenames, allow_agent, look_for_keys) File "/opt/ConfigAuto/lib64/python3.6/site-packages/ncclient/transport/ssh.py", line 464, in _auth raise AuthenticationError(repr(saved_exception)) ncclient.transport.errors.AuthenticationError: SSHException('No existing session',)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "bin/test_iosxr_netconf.py", line 21, in device.open() File "/opt/ConfigAuto/lib64/python3.6/site-packages/napalm/iosxr_netconf/iosxr_netconf.py", line 99, in open raise ConnectionException(conn_err.args[0]) napalm.base.exceptions.ConnectionException: SSHException('No existing session',)

[ktbyers]

You have to specify port 830. it looks like you are trying to connect on port 22?

Nevermind...it defaults to port 830 in the driver.

[ktbyers]

Is the remote host in SSH known hosts?

Does it work if you add: hostkey_verify=False, into the manager.connect() call here:

https://github.com/napalm-automation/napalm/blob/develop/napalm/iosxr_netconf/iosxr_netconf.py#L93

[Tree2w63]

it was one of the optional args I tried, with no difference in the outcome

[ktbyers]

optional_args won't work, you would have modify the code at the location that I pointed to (or add the relevant entry in SSH known-hosts).

Actually, you might want to try the following three entries:

                hostkey_verify=False,
                look_for_keys=False, 
                allow_agent=False,

That would be interesting to know if it fixes your issue. Those items fixed the original issue that was reported by the original user.

[Tree2w63]

no difference with the below, but using the same via ncclient manager works

from napalm import get_network_driver

optional_args = { 'allow_agent': False, 'hostkey_verify': False, 'look_for_keys': False, } device = { "hostname": "xr.device.com", "username": "admin", "password": "password", "optional_args": optional_args, }

driver = get_network_driver("iosxr_netconf") device = driver(**device) device.open()

[ktbyers]

optional_args won't work...they aren't wired in. You have to edit the python code (if you want to test them).

You would have to edit them in here:

https://github.com/napalm-automation/napalm/blob/develop/napalm/iosxr_netconf/iosxr_netconf.py#L93

[Tree2w63]

Thank you, I'll add it to my local copy, going forward is this a patch that will be done, or will I need to document / highlight this, etc, so that when I update, I remember to update this as well.

[Tree2w63]

Just to confirm, that resolved it for me

[ktbyers]

Okay, thanks for letting us know...we should make some fixes to the IOS-XR driver to change some of these defaults and to allow some of these to be passed via optional_args.

[OsirisS13]

I'm running into this as a blocker as well, are there any updates on passing optional arguments? Patching the underlying driver isn't a solution as we have multiple users running the code locally and it isn't feasible to patch on each environment

[ktbyers]

@OsirisS13 Someone would need to implement a fix for this (so far no one has done it). It is probably pretty straight-forward to do.

[OsirisS13]

@ktbyers I've submitted pull request #1535 to resolve this issue. As noted in the PR the solution bypasses the netmiko_helpers netmiko_args() function for this particular use case.

[OsirisS13]

@ktbyers there's been no movement on the pull request I've submitted to resolve this issue. Is there something else I need to do to have it reviewed and merged? First time contributing to a project like this so I'm not sure of the process

[ktbyers]

No, it is just me. Let me see if I can do this in the next week.