Do not provide the key if it comes from the SSH configuration #648
Conversation
This is a followup of Juniper#628 where this change was initially pushed but reverted because I didn't remember why I did it. Before Juniper#628, when an identity is provided in the SSH configuration, it was not copied in `_conf_ssh_private_key_file` due to a bug. After fixing the bug in Juniper#628, the key is now copied. However, the SSH configuration is provided to the `connect()` method which will use it if needed. Therefore, this is not needed. Moreover, if the key is provided by an agent and/or encrypted, this won't work as, later in the code, `allow_agent` will be set to `False` due to the presence of a private key.
The `allow_agent` setting was used with NC but not with SCP. Store it in the device and reuse it for SCP. The private key was stored in a dictionnary, but this is not needed as Paramiko's `connect()` would default to `None` when not provided. Grab the SSH key filename from SSH configuration as Paramiko won't do it for us. For this reason, this commit is a followup to the one in Juniper#648.
|
An alternative solution would be to enable the user to say if they want to use the agent or not. IMO, we should always use the agent: |
|
Autobot: Would an admin like to run functional tests? |
|
Autobot: Would an admin like to run functional tests? |
|
ok to test. |
| @@ -218,7 +218,6 @@ def _sshconf_lkup(self): | |||
| self._hostname = found.get('hostname', self._hostname) | |||
| self._port = found.get('port', self._port) | |||
| self._conf_auth_user = found.get('user') | |||
| self._conf_ssh_private_key_file = found.get('identityfile') | |||
There was a problem hiding this comment.
Not sure why is this lined removed.
So if I have entered my private ssh file as identityfile in my ssh cofig. witout this line those private key file will be ignored and its like everytime user need to pass with ssh_private_key_file parameter.
In case of multiple device usage with different private file for different device. identityfile is of much use.
There was a problem hiding this comment.
The information is still present in the SSH configuration that is provided to ncclient. So, your use case still work.
The line is removed because when _conf_ssh_private_key_file is defined, it disables the SSH agent (which is quite surprising as no other SSH client does that). So, if the key is stored in the agent, that doesn't work.
|
Can one of the admins verify this patch? |
|
Is it something to do for this PR to be merged? People using an agent to store their SSH keys cannot use junos-eznc without this patch as agent is bypassed when providing a key directly to junos-eznc or through |
|
ok to test |
|
Build triggered. sha1 is merged. |
|
Build started sha1 is merged. |
|
Build finished. 730 tests run, 0 skipped, 0 failed. |
|
Build finished. |
|
Sorry for the delay @vincentbernat I need to test this change before I can merge. I will do it next week. |
|
Ping? This has been biting me for the past three years :) |
|
Hi @paravoid, Can you explain the scenario of your test. In my test environment, I dont see any issue. allow_agent is set to |
|
Sure! Selecting a SSH key file is orthogonal to using an agent (an agent may have multiple keys installed, and a user may want to pick different ones for different hosts). In my case, I have an .ssh/config that looks a little bit like this: …and this works as intended with OpenSSH. I actually have a much more complicated config with statements such as UserKnownHostsFile, IdentitiesOnly, ProxyJump etc., but this is just a simplified PoC of the bug in question. The code right now does this: …with It really feels odd to me that py-junos-eznc has logic around SSH config options and their combinations. It doesn't feel like like an SSH configuration logic belongs in a Juniper-specific module at all. More broadly, it looks like in the NAPALM->py-junos-eznc->ncclient->paramiko chain… there is some logic around SSH private key files, passwords and/or agent use in each of those modules :( This makes things very complicated to handle corner cases, debug or add new features for (e.g. ProxyJump)… |
|
This bug is still biting me 2 years later. Again, the root cause of all this pain is the ability to disable querying local agent. This is not an option the regular |
|
Sorry @vincentbernat for late response, we will update you about this by EOD today with the code changes we plan. You can go through the plan. If all good, will take it forward. |
|
@vincentbernat We will be going with A more detailed view of the changes. Option
Any comments/inputs on the logic ?? |
|
@vincentbernat @paravoid The functionality will be merged via #920. Can you please review the changes, and let us know if you have any additional requirements ?? |
|
#1284 is another go at resolving this. With |
The current logic around the SSH agent is flawed and tentatives to fix it to cover more cases only leads to more complexity. As seen in Juniper#648, to this day, nobody really knows why we disable the agent. In the meantime, many valid use cases just don't work because of disabling the agent, including the good practice to use encrypted private key files. I think it is time to bite the bullet and just leave the agent always on: "ssh" from OpenSSH does not have an option to disable the agent and nobody complains about this.
|
I wanted to get consensus here before opening yet another pull request, but after years, still no consensus. Nobody was able to explain why we try to disable the agent, something that is not possible with "ssh" from OpenSSH. I think the best way forward is to mimic this and always leave the agent enabled. Nobody ever demonstrated this would break their workflow. Adding more options and workarounds will just makes the code more complex and brittle. I have opened #1285 to remove the logic around disabling the agent and it should be favored over of the current PR. |
This is a followup of #628 where this change was initially pushed but
reverted because I didn't remember why I did it. Before #628, when an
identity is provided in the SSH configuration, it was not copied in
_conf_ssh_private_key_filedue to a bug. After fixing the bug in #628,the key is now copied.
However, the SSH configuration is provided to the
connect()methodwhich will use it if needed. Therefore, this is not needed. Moreover, if
the key is provided by an agent and/or encrypted, this won't work as,
later in the code,
allow_agentwill be set toFalsedue to thepresence of a private key.