VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   Scripting (https://forums.vandyke.com/forumdisplay.php?f=14)
-   -   SSH auth with Python - Random "Keyboard Interactive Authentication" pop-up (https://forums.vandyke.com/showthread.php?t=14137)

powerponch 04-02-2020 06:29 PM

SSH auth with Python - Random "Keyboard Interactive Authentication" pop-up
 
Hello. I am currently running a python script from a custom button which logins to a router. The login works normally OK, however in some cases a pop-up appears ("Keyboard Interactive Authentication") and asks for manual password input.

Since my script is intended to run without human supervision, this is an issue. Moreover, I haven't been able to determine under which circumstances this pop-up appears.

Does somebody know how to suppress the pop-up?

Below the code I'm using for login:

cmd = "/SSH2 /L %s /PASSWORD %s /C AES-128 /M SHA1 %s" % (HOST_USERNAME, HOST_PASSWORD, HOST)

crt.Session.Connect(cmd)

https://imagizer.imageshack.com/img921/6759/WM4vTJ.png

bgagnon 04-03-2020 08:45 AM

Hi powerponch,

What version of SecureCRT are you using?

On what OS?

For the remotes where you see the dialog, it likely means that keyboard-interactive authentication is required. This is different than password authentication (though it often looks similar to the end user). RFC 4256 details keyboard-interactive authentication.

Getting Trace Options output to those devices should show what authentication method is supported.

You may need to adjust the connection method in your script and handle the possible prompts (notice what's in the screenshot is Enter PASSCODE:).

Or, if v8.5 or later, you may be able to leverage these features:

Changes in SecureCRT 8.5 (Beta 1) -- June 28, 2018
--------------------------------------------------
New features:
  • Added a session INI-file-only option "Keyboard Interactive Prompt" that allows the expected prompt for keyboard-interactive authentication to be specified.
  • Added a command-line flag /KEYBOARDINTERACTIVEPROMPT that allows the keyboard interactive prompt to be specified for SSH2 sessions.

powerponch 04-04-2020 01:01 PM

1 Attachment(s)
Thank you for the quick reply!

I am running SecureCRT v.8.5 on Windows 10. Is it possible to apply a fix or a flag for suppressing the pop-up?

It is of crucial importance given that the script is executed on a scheduled basis via Windows Scheduled Tasks, and it is not being executed when this pop-up appears because there is nobody to input the password.

As I mentioned, this happens in random occasions. More than often the login runs smoothly with the python code.

This is a screenshot of the pop-up that I'm getting:
https://forums.vandyke.com/attachmen...achmentid=1874

bgagnon 04-04-2020 01:24 PM

Hi powerponch,

I'm sort of feeling like you did not read my post at all. :)

Do you have to enter something when prompted? If so, then this authentication method (keyboard-interactive) is what the remote requires so it will need to be handled. It is not the password authentication method, it is keyboard-interactive.

If you connect to a mix of remotes that require either password or keyboard-interactive then you will have to authenticate within the script.

For example:
  • Wait for prompts (with WaitForStrings()) that may either have password or passcode in them

  • Send appropriate response

powerponch 04-06-2020 04:42 PM

Hello. Sorry for the confusion. I did not quite get you first reply.
When the pop-up appears, I need to input the password for SSH authentication. Afterwards, my script continues its normal execution.

I am using a crt.Sleep(2000) command after the Session.Connect().

bgagnon 04-07-2020 08:56 AM

Hi powerponch,

I guess I am still not making it clear.

In simplest terms, you have remotes/devices that require two different methods of authentication. Therefore, you would need to use two different command-lines to handle each.

So you either have to:
  • Be able to narrow down which requires password and which requires keyboard-interactive and connect to each with a different command-line.

  • Handle both types within the script somehow. This requires being able to distinguish between the two.

If you opt for the latter option, what I suggest is you connect manually to a device that succeeds with your current command-line and collect Trace Options output (instructions were in a prior post). Then also connect manually to one of the devices that results in the pop-up you are reporting and collect Trace Options output from that.

You will want to have Display logon prompts in terminal window enabled in the sessions you connect manually (or in Default session if it's an ad hoc connection). That option is found in the Connection / Logon Actions category of Session Options.

powerponch 04-07-2020 10:44 AM

Thank you for the reply.

My remote target device is only one: a Cisco router enabled with SSH.

I think I wasn't clear on that part before, but this single device is the one to which I can login successfully with the code I mentioned before, but sometimes prompts that pop-up for the password.

Both situations on the same device without doing anything different but clicking my button to trigger the python script.

I collected the Trace Options. What should I look at in the output sorry?

About the Display logon prompts in terminal window, my intention is not to collect anything manually, but to let the script run on a scheduled basis without supervision. It must not stop with the pop-up that appears sometimes.

bgagnon 04-07-2020 10:52 AM

Hi powerponch,

I am very clear on your goal. My suggestions are troubleshooting steps and sometimes those must be done manually. :)

Quote:

I think I wasn't clear on that part before, but this single device is the one to which I can login successfully with the code I mentioned before, but sometimes prompts that pop-up for the password.
Then it is likely a broken SSH server and I don't think there is anything you can do on the client side to compensate for that but I would still like to have a look at Trace Options output.

Please send to support@vandyke.com as an attachment to email and reference Attn Brenda - Forum Thread #14137 in the subject line.


All times are GMT -6. The time now is 08:07 AM.