paramiko with Cisco ASA

Question

Does somebody try to use Paramiko to connect to Cisco ASA?

I use the following script:

import sys
import os
import paramiko


paramiko.util.log_to_file("ssh_conn.log")

ssh_client = paramiko.SSHClient()
print ('client created')
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print ('key policy set')
ssh_client.connect(hostname='10.10.10.10', username='user', password='pass', port=22)
print ('client connected')
(stdin, stdout, stder) = ssh_client.exec_command('show version')
print ('command sent')
data = stdout.readlines()
print ('data read')
stdout.close()
ssh_client.close()
print ('session closed')
print (data)

It works well with Cisco IOS (routers), but hangs after "command sent" when I try to connect to ASA devices.

Paramiko log contains following messages:

DEB [20140718-18:12:52.534] thr=1   paramiko.transport: starting thread (client mode): 0x23902b0
INF [20140718-18:12:52.537] thr=1   paramiko.transport: Connected (version 2.0, client Cisco-1.25)
DEB [20140718-18:12:52.923] thr=1   paramiko.transport: kex algos:['diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc'] server encrypt:['aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc'] client mac:['hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] server mac:['hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20140718-18:12:52.923] thr=1   paramiko.transport: Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEB [20140718-18:12:52.924] thr=1   paramiko.transport: using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEB [20140718-18:12:53.040] thr=1   paramiko.transport: Switch to new keys ...
DEB [20140718-18:12:53.041] thr=2   paramiko.transport: Adding ssh-rsa host key for 10.10.10.10: b'10d3ea97246086679196bda085796063'
DEB [20140718-18:12:53.066] thr=1   paramiko.transport: userauth is OK
INF [20140718-18:12:53.084] thr=1   paramiko.transport: Authentication (password) successful!
DEB [20140718-18:12:53.084] thr=2   paramiko.transport: [chan 1] Max packet in: 34816 bytes
DEB [20140718-18:12:53.089] thr=1   paramiko.transport: [chan 1] Max packet out: 4096 bytes
INF [20140718-18:12:53.089] thr=1   paramiko.transport: Secsh channel 1 opened.
DEB [20140718-18:12:53.094] thr=1   paramiko.transport: [chan 1] Sesch channel 1 request ok

I see active SSH session on the device, but my script hangs after output "command sent"

Answer 1

Here is the process that I use to connect to a Cisco ASA:

import paramiko
ip = '1.1.1.16'
username = 'testuser'
password = 'password'
remote_conn_pre=paramiko.SSHClient()
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())
remote_conn_pre.connect(ip, username=username, password=password,
                        look_for_keys=False, allow_agent=False)
remote_conn = remote_conn_pre.invoke_shell()
output = remote_conn.recv(65535)
print output
remote_conn.send('enable\n')
remote_conn.send(password + '\n')
output = remote_conn.recv(65535)
print output

I also have been working on a library (Netmiko) to simplify some of the Paramiko SSH handling. It is at https://github.com/ktbyers/netmiko

Answer 2

Add a newline character (\n) at the end of the command:

Before:

(stdin, stdout, stder) = ssh_client.exec_command('show version')

After:

(stdin, stdout, stder) = ssh_client.exec_command('show version\n')