Skip to content
This repository has been archived by the owner on Mar 28, 2022. It is now read-only.

Set key exchange explcitly #17

Merged
merged 1 commit into from
Apr 7, 2017
Merged

Set key exchange explcitly #17

merged 1 commit into from
Apr 7, 2017

Conversation

itdependsnetworks
Copy link
Contributor

No description provided.

@StefanLindblom
Copy link
Contributor

StefanLindblom commented Apr 5, 2017
edited
Loading

Hi there!
Thank you for the PR.

I've tried your change - does this match your expected behaviour?

Testing with username/password authentication.

  1. Log in to FortiOS 5.4.0 and dh-group modified, set to 1024
    a) Without proposed change aka current public version 0.49: Works
    b) With proposed change: Works

  2. Log in to FortiOS 5.4.0 and dh-group set to 2048 (default)
    a) Without proposed change aka current public version 0.49: Does NOT work
    b) With proposed change: Works

  3. Log in to FortiOS 5.2.8 (no dh-group setting)
    a) Without proposed change aka current public version 0.49: Works
    b) With proposed change: Works

One more question - do you know if this (known) issue has any reference like a ticket or bug ID with Fortinet? Something that we could cross-reference maybe.

Thanks!
/Stefan

@StefanLindblom
Copy link
Contributor

StefanLindblom commented Apr 5, 2017
edited
Loading

OK I just found official information on this from Fortinet, so it only affects 5.4.0:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD38109

Did two more tests to verify this:

  1. Log in to FortiOS 5.4.3 and dh-group modified, set to 1024
    a) Without proposed change aka current public version 0.49: Works
    b) With proposed change: Works

  2. Log in to FortiOS 5.4.3 and dh-group set to 2048 (default)
    a) Without proposed change aka current public version 0.49: Works
    b) With proposed change: Works

@itdependsnetworks
Copy link
Contributor Author

I believe it is much more than just 5.4

From Napalm docs: http://napalm.readthedocs.io/en/latest/support/fortios.html

Beginning in FortiOS version 5.2, a Fortigate bug was introduced that generates an EOFError in paramiko/transport.py during the SSH key exchange.

The documentation you provided only states that "Fixed in the FortiOS version 5.4.1."

v5.2.5,build701 (GA) [Update]
a) Without proposed change aka current public version 0.49: Does not work
b) With proposed change: Works

That being said, perhaps it makes sense to grab the current key exchanges, and dynamically re-order them, in case paramiko adds any more in the future.

Let me know your thoughts.

@StefanLindblom
Copy link
Contributor

Oh.
Yes, I can see someone mentioning that some behaviour was modified in 5.2.7...
paramiko/paramiko#687 (comment)

I think it makes sense to merge this PR anyway, since it seems to solve the versions we've encountered so far! 👍 (and doesn't seem to break anything obvious)

@StefanLindblom StefanLindblom merged commit 42af9c7 into spotify:master Apr 7, 2017
@dbarrosop dbarrosop mentioned this pull request Aug 11, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@itdependsnetworks @StefanLindblom