andrewschenck / paramiko-jump Goto Github PK

Enables MFA/2FA and SSH proxying on top of Paramiko SSH.

License: Other

Python 100.00%

2fa 2fa-client duo jumphost jumpserver mfa mobilepass multifactor-authentication paramiko python s-key ssh ssh-client two-factor-authentication

paramiko-jump's Issues

modulerror

i am trying this to login to switch and get some show version. there is a jump host in between. that is 2 factor. first it takes a password then i have to type 1 then some authentication comes in cell phone i have to approve then i can login to jump host.

i am getting this modulerror.

ModuleNotFoundError: No module named 'paramiko_jump'

any idea how to resolve this?

Regarding _Host

In the client.py file, there is a variable _Host:

_Host = Union[AnyStr, Tuple[AnyStr, int]]
_Prompt = Tuple[AnyStr, bool]

It's used like its friend, _Prompt, as a representation of a complex type, in this case a Union between either an AnyStr or a tuple of AnyStr and a bool.

I understand, implicitly, what it is:

It represents either a hostname/IP, OR a hostname/IP combined with the SSH_PORT you expect to connect over on that particular host.

Obviously it's not used anywhere right now;

I'd be happy to write up an implementation for it, but I'm curious where it was intended to be used, or if it is a deprecated variable.

SSH Session Source IP Address?

So I have this setup

PC [192.168.0.0/24] --- jumphost [10.10.10.0/24] --- router [10.20.30.0/24]

In summary Iam able to successfully connect to the jumphost but when I connect to the router I am getting Administratively prohibited error.
The router is configured to only allow ssh connection from the jumphost ip subnet which is 10.10.10.0/24 and everything else is denied.
Now I am getting denied access to the router, is it possible that the source ip of ssh connection towards the router is the 192.168.0.0/24 (PC) instead of the jumphost subnet (10.10.10.0/24)?

Below is my code

import paramiko
from getpass import getpass
from paramiko_jump import SSHJumpClient, MultiFactorAuthHandler

jumphost = input ("Bastion Server host/ip : ")
bastion_username = input ("Bastion Username: ")
bastion_password = getpass ("Bastion Password : ")
passcode = getpass ("RSA Passcode : ")

handler = MultiFactorAuthHandler()
handler.add(bastion_password)
handler.add(passcode)

with SSHJumpClient(auth_handler = handler) as jumper:
    jumper.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    jumper.connect(
        hostname = jumphost,
        username = bastion_username,
        look_for_keys = False,)
    
    stdin, stdout, stderr = jumper.exec_command('uptime')
    output = stdout.readlines()
    print ("Successfully authenticated with the",jumphost, "server!")
    print(output)

    node = input ("Enter Router hostname/ip : ")
    node_username = input("Node Username : ")
    node_password = getpass ("Enter Node Password : ")
    
    with SSHJumpClient(jump_session = jumper) as target:
        target.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        target.connect(
            hostname = node,
            username = node_username,
            password = node_password,
            look_for_keys = False,
            allow_agent = False,)
        
        terminal = target.invoke_shell()
        terminal.send("show chassis\n")

Output

Bastion Server host/ip :  sample.local
Bastion Username:  domain\username
Bastion Password :  ········
RSA Passcode :  ········
Successfully authenticated with the sample.local server!
[' 15:25:34 up 26 days, 20:17, 143 users,  load average: 0.08, 0.21, 0.27\n']
Enter Router hostname/ip :  sample.local
Node Username :  username
Enter Node Password :  ········

Error

Secsh channel 1 open FAILED: open failed: Administratively prohibited
---------------------------------------------------------------------------
ChannelException                          Traceback (most recent call last)
Cell In[3], line 28
     26 with SSHJumpClient(jump_session=jumper) as target:
     27     target.set_missing_host_key_policy(paramiko.AutoAddPolicy())
---> 28     target.connect(
     29         hostname = node,
     30         username = node_username,
     31         password = node_password,
     32         look_for_keys = False,
     33         allow_agent = False,)
     35     terminal = target.invoke_shell()
     36     terminal.send("show chassis\n")

File ~\OneDrive\root\Documents\002_vdi_env\vdi\Lib\site-packages\paramiko_jump\client.py:133, in SSHJumpClient.connect(self, hostname, port, username, password, pkey, key_filename, timeout, allow_agent, look_for_keys, compress, sock, gss_auth, gss_kex, gss_deleg_creds, gss_host, banner_timeout, auth_timeout, channel_timeout, gss_trust_dns, passphrase, disabled_algorithms, transport_factory, auth_strategy)
    130         raise ValueError('jump_session= and sock= are mutually '
    131                          'exclusive')
    132     transport = self._jump_session._transport
--> 133     sock = transport.open_channel(
    134         kind='direct-tcpip',
    135         dest_addr=(hostname, port),
    136         src_addr=transport.getpeername(),
    137         timeout=timeout,
    138     )
    140 return super().connect(
    141     hostname=hostname,
    142     port=port,
   (...)
    162     auth_strategy=auth_strategy,
    163 )

File ~\OneDrive\root\Documents\002_vdi_env\vdi\Lib\site-packages\paramiko\transport.py:1115, in Transport.open_channel(self, kind, dest_addr, src_addr, window_size, max_packet_size, timeout)
   1113 if e is None:
   1114     e = SSHException("Unable to open channel.")
-> 1115 raise e

ChannelException: ChannelException(1, 'Administratively prohibited')

Unable to successfully connect

Apologies I do not know how to contact you but I only have a question rather than an issue.

So I followed your example 1 and got the following error

paramiko.ssh_exception.ChannelException: ChannelException(1, 'Administratively prohibited')

on the router only the subnet of the jumphost server is allowed to SSH into the router, could my source IP be the IP of my laptop and not the jumphost server when I logged into the router?

Line in question is here:

from paramiko.client import SSH_PORT, SSHClient

The resolution is basically just to throw in another import line from the original source within paramiko.config:

from paramiko.client import SSHClient
from paramiko.config import SSH_PORT

Will attach a PR to this for the resolution.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.