Unable to successfully connect

[RepotSirc]

trafficstars

Apologies I do not know how to contact you but I only have a question rather than an issue.

So I followed your example 1 and got the following error

paramiko.ssh_exception.ChannelException: ChannelException(1, 'Administratively prohibited')

on the router only the subnet of the jumphost server is allowed to SSH into the router, could my source IP be the IP of my laptop and not the jumphost server when I logged into the router?

[RepotSirc]

Apologies I do not know how to contact you but I only have a question rather than an issue.

So I followed your example 1 and got the following error

paramiko.ssh_exception.ChannelException: ChannelException(1, 'Administratively prohibited')

on the router only the subnet of the jumphost server is allowed to SSH into the router, could my source IP be the IP of my laptop and not the jumphost server when I logged into the router?

This is my main function...

def MainConnectFunction (self, rtr_hostname): self.rtr_hostname = rtr_hostname print ("+-----------------------+") print ("|","{0:^13}".format("Bastion Server Screen"),"|") print ("+-----------------------+") b_uname = input ("Enter Username for Bastion : ") with SSHJumpClient(auth_handler=simple_auth_handler) as jumper: jumper.set_missing_host_key_policy(paramiko.AutoAddPolicy()) jumper.connect(hostname = "1.2.3.4", username = "b_uname",) print ("+---------------+") print ("|","{0:^13}".format("Router Screen"),"|") print ("+---------------+") rtr_username = input ("Enter Username: ") rtr_password = getpass("Enter Password: ")

        target = SSHJumpClient(jump_session=jumper)
        target.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        target.connect(hostname = self.rtr_hostname,
                       username = rtr_username,
                       password = rtr_password,
                       look_for_keys = False,
                       allow_agent = False,)
        _, stdout, _ = target.exec_command("sh ip int br")
        print(stdout.read().decode())
        target.close()

Output is as below +-------------------------------+ | Enter Logical Name or IP Host | +-------------------------------+ Enter Logical Name or IP Host: RouterIP +-----------------------+
| Bastion Server Screen |
+-----------------------+
Enter Username for Bastion : Username Password: Enter PASSCODE: +---------------+ | Router Screen | +---------------+ Enter Username: Username Enter Password: Secsh channel 0 open FAILED: open failed: Administratively prohibited Traceback (most recent call last): File "c:\01PythonProjects\018_paramiko_gui\mfa_bastion_v001", line 52, in start.MainConnectFunction(rtr_hostname) File "c:\01PythonProjects\018_paramiko_gui\mfa_bastion_v001", line 39, in MainConnectFunction target.connect(hostname = self.rtr_hostname, File "C:\01PythonProjects\018_paramiko_gui.vrt\Lib\site-packages\paramiko_jump-0.0.0-py3.11.egg\paramiko_jump\client.py", line 133, in connect File "C:\01PythonProjects\018_paramiko_gui.vrt\Lib\site-packages\paramiko\transport.py", line 1085, in open_channel raise e paramiko.ssh_exception.ChannelException: ChannelException(1, 'Administratively prohibited')

[RepotSirc]

Logs are as follows...

DEB [20230831-14:59:27.978] thr=1 paramiko.transport: userauth is OK INF [20230831-14:59:29.282] thr=1 paramiko.transport: Auth banner: b'\n' INF [20230831-14:59:51.306] thr=1 paramiko.transport: Authentication (keyboard-interactive) successful! DEB [20230831-14:59:51.527] thr=1 paramiko.transport: Received global request "[email protected]" DEB [20230831-14:59:51.527] thr=1 paramiko.transport: Rejecting "[email protected]" global request from server. DEB [20230831-15:00:04.850] thr=2 paramiko.transport: [chan 0] Max packet in: 32768 bytes ERR [20230831-15:00:04.959] thr=1 paramiko.transport: Secsh channel 0 open FAILED: open failed: Administratively prohibited DEB [20230831-15:00:04.960] thr=1 paramiko.transport: EOF in transport thread

[prokopto-dev]

TLDR; This isn't a paramiko-jump issue, but a paramiko and SSH issue. Functionally there is nothing to be done via paramiko-jump to fix this issue.

@RepotSirc : No idea if this is at all necessary to respond to at this point, but if anyone finds this post elsewhere, let me explain what it appears to be doing:

Paramiko is using an OpenSSH implementation; it appears that whatever host is sending the following log is not implementing, or has disallowed, OpenSSH style SSH v2 handshakes:

DEB [20230831-14:59:51.527] thr=1 paramiko.transport: Rejecting "[[email protected]](mailto:[email protected])" global request from server.

Per the OpenSSH protocol, v2: you need to exchange hostkeys via some method. The default method used by nearly everyone is this [email protected]; there's some inter-compatibility with a few propriatary methods for the SSH protocol, but they are in essence the same.

What is most likely is that the server in question is vastly out of date and needs to be updated with a new SSH daemon/library for its host OS.

[prokopto-dev]

See https://www.openssh.com/specs.html as well as the linked files and discussions from that page that enumerate the source of this problem RE: implementing the SSH host key rotation.

[prokopto-dev]

@andrewschenck : This issue can likely be closed either which way.

[andrewschenck]

As @prokopto-dev pointed out, this is a host-side problem and not one that can be resolved by changing paramiko or related code.

There are likely more than one thing that can raise that error on your platform, but one if them is an actual ICMP type 3 code 9, which is sometimes generated by firewalls to tell a client their traffic is being denied: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml