paramiko 使用证书免密连接 H3C 设备

发表于 分类于 阅读次数: 本文字数: 4k 阅读时长 ≈ 4 分钟

设备配置用户

1
2
3
4
5
6
7
#
local-user admin class manage
 password simple admin
 service-type ftp
 service-type ssh
 authorization-attribute user-role network-admin
#

配置登录 vty 登录权限

1
2
3
4
#
line vty 0 63
 authentication-mode scheme
#

开启 ssh 服务

1
ssh erver enable

开启 ftp 服务

1
ftp server enable

在 windows 上生成 ssh key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PS C:\Users\xdai> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\xdai/.ssh/id_rsa):
C:\Users\xdai/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\xdai/.ssh/id_rsa.
Your public key has been saved in C:\Users\xdai/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Dfia7aLwhuSowN7iSsXlqkB0/ZJw2mMoMVi9Y4ez06E xdai@xdai
The key's randomart image is:
+---[RSA 2048]----+
|  ..             |
|..  o  .         |
|.+ o *. .        |
|. = # =. o       |
| o * # oS .      |
|o + E ++         |
|o*.o .o .        |
|*.=o. ..         |
|*+.oo. ..        |
+----[SHA256]-----+
PS C:\Users\xdai>

在 windows 上将公钥通过 ftp 上传到设备

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\xdai\.ssh>ftp 192.168.56.20
连接到 192.168.56.20。
220 FTP service ready.
502 Command not implemented.
用户(192.168.56.20:(none)): admin
331 Password required for admin.
密码:
230 User logged in.
ftp> put id_rsa.pub
200 PORT command successful
150 Connecting to port 11865
226 File successfully transferred
ftp: 发送 392 字节,用时 0.00秒 392.00千字节/秒。
ftp> quit
221-Goodbye. You uploaded 1 and downloaded 0 kbytes.
221 Logout.

可以在 R1 上看到已经接收到了公钥

1
2
3
4
5
6
7
8
9
<R1>%Dec 26 15:05:41:190 2020 R1 FTP/6/AUTH: User N/[email protected] for connection.
%Dec 26 15:05:44:437 2020 R1 FTP/6/AUTH: User [email protected] login.
%Dec 26 15:05:53:983 2020 R1 FTP/5/OPER: User [email protected] uploaded flash:/id_rsa.pub.
%Dec 26 15:06:17:204 2020 R1 FTP/6/LOGOUT: User [email protected] logout.
<R1>dir
Directory of flash:
   0 drw-           - Dec 26 2020 14:56:17   diagfile
   1 -rw-         735 Dec 26 2020 14:57:27   hostkey
   2 -rw-         391 Dec 26 2020 15:05:53   id_rsa.pub

在 R1 上导入远端主机公钥

1
public-key peer netdevops import sshkey flash:/id_rsa.pub

查看已经导入的公钥

1
2
3
4
5
6
7
8
[R1] display public-key peer

=============================================
Key name: netdevops
Key type: RSA
Key modulus: 2048
Key code:
......

配置远端主机公钥的方式有两种:

  • 从公钥文件中导入:用户事先将远端主机的公钥文件保存到本地设备(例如,通过FTP或TFTP,以二进制方式将远端主机的公钥文件保存到本地设备),本地设备从该公钥文件中导入远端主机的公钥。导入公钥时,系统会自动将远端主机的公钥文件转换为PKCS(Public Key Cryptography Standards,公共密钥加密标准)编码形式。

  • 手工配置:用户事先在远端主机上查看其公钥信息,并记录远端主机公钥的内容。在本地设备上采用手工输入的方式将远端主机的公钥配置到本地。手工输入远端主机公钥时,可以逐个字符输入,也可以一次拷贝粘贴多个字符。

因为当前版本设备不支持直接输入 rsa 公钥,所以采用导入文件的方式。

R1 上为 ssh 用户配置公钥验证方式,指定公钥

1
ssh user admin service-type all authentication-type any assign publickey netdevops

authentication-type 可选项有 any、password、password-publickey、publickey

设备配置已经完成

在 windows 中编写代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import paramiko


ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.client.AutoAddPolicy())
ssh.connect(
    hostname='192.168.56.20',
    username='admin',
)
stdin, stdout,  stderr = ssh.exec_command('dis ip int brief')
interface = stdout.read().decode(encoding='utf-8')
print(interface)
ssh.close()

运行之后可以看到输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PS C:\python\netdevops> & "C:/Program Files (x86)/Python38-32/python.exe" c:/python/netdevops/1.py

******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

<R1>dis ip int brief
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
GE0/0                    up       up       192.168.56.20   --
GE0/1                    down     down     --              --
GE0/2                    down     down     --              --
GE5/0                    down     down     --              --
GE5/1                    down     down     --              --
GE6/0                    down     down     --              --
GE6/1                    down     down     --              --
Ser1/0                   down     down     --              --
Ser2/0                   down     down     --              --
Ser3/0                   down     down     --              --
Ser4/0                   down     down     --              --

PS C:\python\netdevops>

设备上查看 console log

1
2
3
4
5
6
7
8
9
<R1>
<R1>%Dec 26 16:50:50:033 2020 R1 SHELL/5/SHELL_LOGIN: Console logged in from con0.
%Dec 26 16:50:54:285 2020 R1 SSHS/6/SSHS_LOG: Accepted publickey for admin from 192.168.56.102 port 1313.

%Dec 26 16:50:56:061 2020 R1 SSHS/6/SSHS_LOG: User admin logged out from 192.168.56.102 port 1313.
%Dec 26 16:50:56:061 2020 R1 SSHS/6/SSHS_DISCONNECT: SSH user admin (IP: 192.168.56.102) disconnected from the server.

<R1>