You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ansible SSH connection fails with Authentication Error, even though normal SSH connection in terminal works flawless.
Steps to reproduce
Install paramiko with version >= 2.9 and run ansible playbook on older Junos versions
Expected results
SSH connection should work
Actual results
ansible-playbook [core 2.13.4]
config file = /Users/user/Ansible/network/ansible.cfg
configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible-playbook
python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
jinja version = 3.1.2
libyaml = True
Using /Users/user/Ansible/network/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
script declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
auto declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
Set default localhost to localhost
Not replacing invalid character(s) "{'-'}" in group name (acc-fra3)
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Not replacing invalid character(s) "{'-'}" in group name (acc-fra3)
Parsed /Users/user/Ansible/network/inventory/hosts inventory source with ini plugin
Loading collection juniper.device from /Users/user/.ansible/collections/ansible_collections/juniper/device
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading collection community.general from /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections/community/general
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading callback plugin community.general.yaml of type stdout, v2.0 from /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections/community/general/plugins/callback/yaml.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: junos-build-conf-system-login.yml **********************************************************************************************************************************************************************************************************************************
Positional arguments: playbooks/py3/junos-build-conf-system-login.yml
verbosity: 4
remote_user: user
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
check: True
diff: True
inventory: ('/Users/user/Ansible/network/inventory',)
subset: sw1*
forks: 5
1 plays in playbooks/py3/junos-build-conf-system-login.yml
PLAY [Build FC specific configuration for user accounts] *********************************************************************************************************************************************************************************************************************
META: ran handlers
TASK [Apply configuration] ***************************************************************************************************************************************************************************************************************************************************
task path: /Users/user/Ansible/network/playbooks/py3/junos-build-conf-system-login.yml:22
<sw1.fra1.de.xxx> ESTABLISH LOCAL CONNECTION FOR USER: user
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'echo ~user && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/user/.ansible/tmp `"&& mkdir "` echo /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414 `" && echo ansible-tmp-1664956830.1051679-45538-253611735395414="` echo /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414 `" ) && sleep 0'
<sw1.fra1.de.xxx> Attempting python interpreter discovery
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'python3.10'"'"'; command -v '"'"'python3.9'"'"'; command -v '"'"'python3.8'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<sw1.fra1.de.xxx> Python interpreter discovery fallback (unsupported platform for extended discovery: darwin)
Using module file /Users/user/.ansible/collections/ansible_collections/juniper/device/plugins/modules/config.py
<sw1.fra1.de.xxx> PUT /Users/user/.ansible/tmp/ansible-local-455359e1aisdu/tmpnsgab33_ TO /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'chmod u+x /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/ /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c '/opt/homebrew/bin/python3.10 /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'rm -f -r /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/var/folders/cc/4gpk7x9d63l2z0lzy_j6g9m80000gn/T/ansible_config_payload_83lieeua/ansible_config_payload.zip/ansible_collections/juniper/device/plugins/module_utils/juniper_junos_common.py", line 1077, in open
self.dev.open()
File "/opt/homebrew/lib/python3.10/site-packages/jnpr/junos/device.py", line 1382, in open
raise EzErrors.ConnectAuthError(self)
[WARNING]: Platform darwin on host sw1.fra1.de.xxx is using the discovered Python interpreter at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter could change the meaning of that path. See
https://docs.ansible.com/ansible-core/2.13/reference_appendices/interpreter_discovery.html for more information.
fatal: [sw1.fra1.de.xxx]: FAILED! => changed=false
ansible_facts:
discovered_interpreter_python: /opt/homebrew/bin/python3.10
invocation:
module_args:
attempts: null
baud: null
check: null
check_commit_wait: null
comment: 'Ansible: Update Users'
commit: null
commit_empty_changes: false
config_mode: exclusive
confirmed: null
console: null
cs_passwd: null
cs_user: null
dest: null
dest_dir: null
diff: null
diffs_file: null
filter: null
format: text
host: sw1.fra1.de.xxx
ignore_warning:
- 'True'
level: null
lines: null
load: replace
logdir: null
logfile: null
mode: null
model: null
namespace: null
options: {}
passwd: null
port: 830
remove_ns: null
retrieve: null
return_output: true
rollback: null
src: /Users/user/Ansible/network/tmp/junos-system-login.conf
ssh_config: null
ssh_private_key_file: null
template: null
timeout: 180
url: null
user: user
vars: null
msg: 'Unable to make a PyEZ connection: ConnectAuthError(sw1.fra1.de.xxx)'
Switch Message Log:
Oct 5 09:44:49 sw1.fra1.xxx sshd[19734]: userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 [preauth]
More Info
The issue is related to paramiko and discussed at paramiko/paramiko#1961. Apparently paramiko chooses a preferred algorithm if it does not receive a "server-sig-algs" from the server. That preferred algorithm is rsa-sha2-512 which is not supported by older Junos versions.
The text was updated successfully, but these errors were encountered:
Issue Type
Module Name
OS / Environment
Juniper EX3300 @ 15.1R7-S7.1
Summary
Ansible SSH connection fails with Authentication Error, even though normal SSH connection in terminal works flawless.
Steps to reproduce
Install paramiko with version >= 2.9 and run ansible playbook on older Junos versions
Expected results
SSH connection should work
Actual results
Switch Message Log:
More Info
The issue is related to paramiko and discussed at paramiko/paramiko#1961. Apparently paramiko chooses a preferred algorithm if it does not receive a "server-sig-algs" from the server. That preferred algorithm is rsa-sha2-512 which is not supported by older Junos versions.
The text was updated successfully, but these errors were encountered: