Failed SSH Key Based Authentication for older Junos Versions

[leonkramer]

Issue Type

• Bug Report

Module Name

• paramiko

% pip3 freeze
bcrypt==4.0.0
cffi==1.15.1
cryptography==38.0.1
Jinja2==3.1.2
junos-eznc==2.6.5
jxmlease==1.0.3
lxml==4.9.1
MarkupSafe==2.1.1
ncclient==0.6.13
netaddr==0.8.0
paramiko==2.11.0
pycparser==2.21
PyNaCl==1.5.0
pyparsing==3.0.9
pyserial==3.5
PyYAML==6.0
scp==0.14.4
six==1.16.0
transitions==0.9.0
xmltodict==0.13.0
yamlordereddictloader==0.4.0

ansible [core 2.13.4]
  config file = None
  configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True

OS / Environment

Juniper EX3300 @ 15.1R7-S7.1

Summary

Ansible SSH connection fails with Authentication Error, even though normal SSH connection in terminal works flawless.

Steps to reproduce

Install paramiko with version >= 2.9 and run ansible playbook on older Junos versions

Expected results

SSH connection should work

Actual results

ansible-playbook [core 2.13.4]
  config file = /Users/user/Ansible/network/ansible.cfg
  configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible-playbook
  python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True
Using /Users/user/Ansible/network/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
script declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
auto declined parsing /Users/user/Ansible/network/inventory/hosts as it did not pass its verify_file() method
Set default localhost to localhost
Not replacing invalid character(s) "{'-'}" in group name (acc-fra3)
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Not replacing invalid character(s) "{'-'}" in group name (acc-fra3)
Parsed /Users/user/Ansible/network/inventory/hosts inventory source with ini plugin
Loading collection juniper.device from /Users/user/.ansible/collections/ansible_collections/juniper/device
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading collection community.general from /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections/community/general
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading callback plugin community.general.yaml of type stdout, v2.0 from /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections/community/general/plugins/callback/yaml.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: junos-build-conf-system-login.yml **********************************************************************************************************************************************************************************************************************************
Positional arguments: playbooks/py3/junos-build-conf-system-login.yml
verbosity: 4
remote_user: user
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
check: True
diff: True
inventory: ('/Users/user/Ansible/network/inventory',)
subset: sw1*
forks: 5
1 plays in playbooks/py3/junos-build-conf-system-login.yml

PLAY [Build FC specific configuration for user accounts] *********************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [Apply configuration] ***************************************************************************************************************************************************************************************************************************************************
task path: /Users/user/Ansible/network/playbooks/py3/junos-build-conf-system-login.yml:22
<sw1.fra1.de.xxx> ESTABLISH LOCAL CONNECTION FOR USER: user
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'echo ~user && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/user/.ansible/tmp `"&& mkdir "` echo /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414 `" && echo ansible-tmp-1664956830.1051679-45538-253611735395414="` echo /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414 `" ) && sleep 0'
<sw1.fra1.de.xxx> Attempting python interpreter discovery
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'python3.10'"'"'; command -v '"'"'python3.9'"'"'; command -v '"'"'python3.8'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<sw1.fra1.de.xxx> Python interpreter discovery fallback (unsupported platform for extended discovery: darwin)
Using module file /Users/user/.ansible/collections/ansible_collections/juniper/device/plugins/modules/config.py
<sw1.fra1.de.xxx> PUT /Users/user/.ansible/tmp/ansible-local-455359e1aisdu/tmpnsgab33_ TO /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'chmod u+x /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/ /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c '/opt/homebrew/bin/python3.10 /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/AnsiballZ_config.py && sleep 0'
<sw1.fra1.de.xxx> EXEC /bin/sh -c 'rm -f -r /Users/user/.ansible/tmp/ansible-tmp-1664956830.1051679-45538-253611735395414/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/var/folders/cc/4gpk7x9d63l2z0lzy_j6g9m80000gn/T/ansible_config_payload_83lieeua/ansible_config_payload.zip/ansible_collections/juniper/device/plugins/module_utils/juniper_junos_common.py", line 1077, in open
    self.dev.open()
  File "/opt/homebrew/lib/python3.10/site-packages/jnpr/junos/device.py", line 1382, in open
    raise EzErrors.ConnectAuthError(self)
[WARNING]: Platform darwin on host sw1.fra1.de.xxx is using the discovered Python interpreter at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter could change the meaning of that path. See
https://docs.ansible.com/ansible-core/2.13/reference_appendices/interpreter_discovery.html for more information.
fatal: [sw1.fra1.de.xxx]: FAILED! => changed=false
  ansible_facts:
    discovered_interpreter_python: /opt/homebrew/bin/python3.10
  invocation:
    module_args:
      attempts: null
      baud: null
      check: null
      check_commit_wait: null
      comment: 'Ansible: Update Users'
      commit: null
      commit_empty_changes: false
      config_mode: exclusive
      confirmed: null
      console: null
      cs_passwd: null
      cs_user: null
      dest: null
      dest_dir: null
      diff: null
      diffs_file: null
      filter: null
      format: text
      host: sw1.fra1.de.xxx
      ignore_warning:
      - 'True'
      level: null
      lines: null
      load: replace
      logdir: null
      logfile: null
      mode: null
      model: null
      namespace: null
      options: {}
      passwd: null
      port: 830
      remove_ns: null
      retrieve: null
      return_output: true
      rollback: null
      src: /Users/user/Ansible/network/tmp/junos-system-login.conf
      ssh_config: null
      ssh_private_key_file: null
      template: null
      timeout: 180
      url: null
      user: user
      vars: null
  msg: 'Unable to make a PyEZ connection: ConnectAuthError(sw1.fra1.de.xxx)'

Switch Message Log:

Oct  5 09:44:49  sw1.fra1.xxx sshd[19734]: userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 [preauth]

More Info

The issue is related to paramiko and discussed at paramiko/paramiko#1961. Apparently paramiko chooses a preferred algorithm if it does not receive a "server-sig-algs" from the server. That preferred algorithm is rsa-sha2-512 which is not supported by older Junos versions.

[dineshbaburam91]

In the case of Junos legacy support device, Kindly use paramiko 1.15.2 version.

[chidanandpujar]

Hi @leonkramer
Thanks,
Please try the suggested option by Dinesh .
In the case of Junos legacy support device, Kindly use paramiko 1.15.2 version.

Thanks