Recently I needed to find a way to reboot an embedded device remotely. The trick was that we didn’t have a handy Web Power Switch and the device was PoE. I figured that I’d just quickly slap together a script to telnet to the switch’s management interface and simulate a few simple commands. To make a long story short SSH was the only option which complicated things a bit.
Fortunately for me I had already written an article about this but that turned out only to be a starting point as the script just wouldn’t work out of the box with Cisco’s SSH server.
In the end I found a few very interesting things out about Paramiko and Cisco’s SSH server. Using Paramiko with a Cisco switch through out a bunch of errors like this:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
If you are seeing Authentication failed
messages while using Paramiko and you are certain your credentials are correct you may be running into the same problem I was. The issue is that Paramiko tries to use your SSH keys to do public key authentication before it tries to use your password. Normally, this doesn’t cause an issue because if it fails one authentication method it just moves onto trying the next authentication method. Due to a quirk in both Paramiko and Cisco’s SSH server implementation Paramiko gets confused after the public key authentication failure and gives up. I figured this out by turning on full debugging in Paramiko like this:
1
|
|
This is an incredibly handy flag if you ever need to debug Paramiko yourself so keep it around!
Anyway, the solution is normally to add the look_for_keys=False
option to your Paramiko connect call. However, as I found out that works on some systems and not others. To be certain that it only tried password authentication I needed to also add the allow_agent=False
flag.
The other quirk I hit was that my script initially waited forever for a response when I sent it commands that had a lot of output. This was because the Cisco shell’s pager was on. Turning it off meant sending one additional command terminal length 0\n
.
In the end I ended up with a script that lets me check the PoE state of a port and enable/disable PoE on a per port basis. If you need a script that does that it is included below. Two important points to remember are that I only needed to use this on interfaces that start with Gi1/0/
so that value is hardcoded and you’ll need to change it if your switch is different. You will also need to install my little Python library called pyuda because I use it to process the command-line arguments. Rip that out if you want to simplify things.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
|