paramiko.transport: EOF in transport thread

[abhinav0513]

Hi All,

I am trying to pull logs from a router and getting the EOF exception:
Python: 2.6
Paramiko: 1.7.5

Below is the code:

import paramiko
import os
import shutil
import datetime
import logging

paramiko.util.log_to_file("filename.log")
parser = open("hostsIp.txt",'r')
log = logging.getLogger("paramiko.transport").setLevel(1)
if "extractedData" in os.listdir("."):
shutil.rmtree("extractedData")

os.makedirs(".//extractedData")
for i in parser:
try:
print(i)
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.load_system_host_keys()
ssh.connect(i.strip(), username="condor1", password="condor08")
stdin, stdout, stderr = ssh.exec_command("term len 0")
stdin1, stdout1, stderr1 = ssh.exec_command("admin show platform")
stdin2, stdout2, stderr2 = ssh.exec_command("show redundancy")
stdin3, stdout3, stderr3 = ssh.exec_command("show variables boot")
except paramiko.SSHException as e:
print(e)
print("Unsuccessful Login"+i)
print(log)

Here are the logs:
DEB [20170120-13:43:02.584] thr=1 paramiko.transport: starting thread (client mode): 0xc5037790L
INF [20170120-13:43:02.638] thr=1 paramiko.transport: Connected (version 2.0, client Cisco-2.0)
DEB [20170120-13:43:02.641] thr=1 paramiko.transport: kex algos:['diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes128-cbc', 'aes192-cbc', 'aes256-cbc', '3des-cbc'] server encrypt:['aes128-cbc', 'aes192-cbc', 'aes256-cbc', '3des-cbc'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20170120-13:43:02.641] thr=1 paramiko.transport: Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEB [20170120-13:43:02.641] thr=1 paramiko.transport: using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEB [20170120-13:43:02.804] thr=1 paramiko.transport: Switch to new keys ...
DEB [20170120-13:43:03.008] thr=1 paramiko.transport: userauth is OK
INF [20170120-13:43:03.126] thr=1 paramiko.transport: Authentication (password) successful!
DEB [20170120-13:43:03.140] thr=2 paramiko.transport: [chan 1] Max packet in: 34816 bytes
DEB [20170120-13:43:03.142] thr=1 paramiko.transport: [chan 1] Max packet out: 34816 bytes
INF [20170120-13:43:03.142] thr=1 paramiko.transport: Secsh channel 1 opened.
DEB [20170120-13:43:03.149] thr=1 paramiko.transport: [chan 1] Sesch channel 1 request ok
DEB [20170120-13:43:03.150] thr=2 paramiko.transport: [chan 2] Max packet in: 34816 bytes
DEB [20170120-13:43:03.153] thr=1 paramiko.transport: [chan 2] Max packet out: 34816 bytes
INF [20170120-13:43:03.153] thr=1 paramiko.transport: Secsh channel 2 opened.
DEB [20170120-13:43:03.235] thr=1 paramiko.transport: [chan 2] Sesch channel 2 request ok
DEB [20170120-13:43:03.525] thr=1 paramiko.transport: [chan 1] EOF received (1)
DEB [20170120-13:43:03.525] thr=1 paramiko.transport: [chan 1] EOF sent (1)
DEB [20170120-13:43:03.940] thr=1 paramiko.transport: [chan 2] EOF received (2)
DEB [20170120-13:43:03.941] thr=2 paramiko.transport: [chan 3] Max packet in: 34816 bytes
DEB [20170120-13:43:03.942] thr=1 paramiko.transport: [chan 2] EOF sent (2)
DEB [20170120-13:43:03.945] thr=1 paramiko.transport: EOF in transport thread

Is there something that I am missing in the code?

[amias-channer]

are you sure the router allows that user to ssh in ? have you tried manually sshing to check it can work ?

also i would recommend changing your password now you have shared it on here.

[bitprophet]

Hardware devices often don't support the SSH standard in a manner Paramiko can gracefully deal with, unfortunately. See this FAQ: http://www.paramiko.org/faq.html#paramiko-doesn-t-work-with-my-cisco-windows-or-other-non-unix-system

[ktbyers]

Issue is a bit old, but adding some comments.

Cisco IOS routers generally will close the SSH session after a single command using exec_command. So in your case above, your SSH session will end here (assuming Cisco IOS)

stdin, stdout, stderr = ssh.exec_command("term len 0")

Generally, the solution to this is to use invoke_shell and not exec_command. You might also want to check out Netmiko (which is a library built on top of Paramiko as it tries to handle some of these known issues with interfacing to networking devices).

[sumkincpp]

Even this thread is closed sometimes this is nearly expected to arrive here :)

NXOS 9.2.1, TACACS+ and Paramiko

Cisco Nexus NXOS 9.2.1(SSH-2.0-OpenSSH_7.5 PKIX[10.1]) with TACACS+ enabled and Paramiko library probably has a bug with "EOF Transport" on first initial connection attempt. Auth itself succeeds.

This may result, for example, in Ansible in "Authentication failed" failure:

The full traceback is:
Traceback (most recent call last):
  File "/opt/awx/awx-app/venv/bin/ansible-connection", line 105, in start
    self.connection._connect()
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py", line 298, in _connect
    ssh = self.paramiko_conn._connect()
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/ansible/plugins/connection/paramiko_ssh.py", line 254, in _connect
    self.ssh = SSH_CONNECTION_CACHE[cache_key] = self._connect_uncached()
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/ansible/plugins/connection/paramiko_ssh.py", line 363, in _connect_uncached
    raise AnsibleAuthenticationFailure(msg)
AnsibleAuthenticationFailure: Invalid/incorrect username/password. Authentication failed.

fatal: [XXXXXX]: FAILED! => {
    "msg": "Invalid/incorrect username/password. Authentication failed."
}
...ignoring

Some observations

• OpenSSH with default handshake always works as expected
• No problems with versions up to 7.0.3.I7.5a
• No problems on NXOS 9.2.1 with local auth
• When problem with "EOF Transport" occurs TACACS+ server reports successful attempt for auth

To reproduce: Reboot device & and try to connect with paramiko after it's management becomes available.

Python CLI to reproduce

Python 2.7.5 (default, Sep 12 2018, 05:31:16)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko
>>> paramiko.common.logging.basicConfig(level=paramiko.common.DEBUG)
>>> client = paramiko.SSHClient()
>>> client.set_missing_host_key_policy(paramiko.WarningPolicy())
>>> client.connect('X.X.X.X, username='joe', password='joe')
DEBUG:paramiko.transport:starting thread (client mode): 0x449ace10L
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.4.2
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.5 PKIX[10.1]
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.5)
DEBUG:paramiko.transport:kex algos:[u'diffie-hellman-group14-sha1', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521'] server key:[u'ssh-rsa', u'rsa-sha2-512', u'rsa-sha2-256'] client encrypt:[u'aes128-ctr', u'aes256-ctr', u'aes256-gcm@openssh.com', u'aes128-gcm@openssh.com'] server encrypt:[u'aes128-ctr', u'aes256-ctr', u'aes256-gcm@openssh.com', u'aes128-gcm@openssh.com'] client mac:[u'hmac-sha1', u'hmac-sha2-256', u'hmac-sha2-512'] server mac:[u'hmac-sha1', u'hmac-sha2-256', u'hmac-sha2-512'] client compress:[u'none', u'zlib@openssh.com'] server compress:[u'none', u'zlib@openssh.com'] client lang:[u''] server lang:[u''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: ecdh-sha2-nistp256
DEBUG:paramiko.transport:HostKey agreed: ssh-rsa
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
/opt/awx/awx-app/venv/lib/python2.7/site-packages/paramiko/client.py:825: UserWarning: Unknown ssh-rsa host key for X.X.X.X: 943b9ba001bfe6e805095e664acd93a2
  key.get_name(), hostname, hexlify(key.get_fingerprint())
DEBUG:paramiko.transport:Trying discovered key 7a11fdb3c9fbc0ab610b7820f477d459 in /root/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Auth banner: User Access Verification

INFO:paramiko.transport:Authentication (publickey) failed.
username=joe, password=joe
DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:EOF in transport thread
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/paramiko/client.py", line 437, in connect
    passphrase,
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/paramiko/client.py", line 738, in _auth
    self._transport.auth_password(username, password)
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/paramiko/transport.py", line 1436, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/opt/awx/awx-app/venv/lib/python2.7/site-packages/paramiko/auth_handler.py", line 236, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

[exzzzz]

@sumkincpp

try this:

client.connect('X.X.X.X, username='joe', password='joe', allow_agent=False, look_for_keys=False)

[sumkincpp]

@exzzzz seems not to be related to keys as they are ignored, but too actual connection reset from the server (EOF in transport thread).
allow_agent part in paramiko -

paramiko/paramiko/client.py

Line 689 in 5cf145f

if not two_factor and allow_agent: