From b19494bc2d78868a2d3ac9c98dc65e92f37b7279 Mon Sep 17 00:00:00 2001 From: D Stephenson Date: Tue, 12 May 2026 20:44:06 +0000 Subject: [PATCH] Add TCP pre-flight check before SSH to prevent RADIUS lockout Unreachable hosts are detected via a 3s socket connect on SSH_PORT before any credentials are sent. Truly offline switches now fail fast without touching RADIUS/AD at all. Co-Authored-By: Claude Sonnet 4.6 --- ssh_client.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ssh_client.py b/ssh_client.py index 0143044..f299f95 100644 --- a/ssh_client.py +++ b/ssh_client.py @@ -3,6 +3,7 @@ import re import logging import threading import time +import socket from concurrent.futures import ThreadPoolExecutor, as_completed from functools import partial from netmiko import ConnectHandler, NetmikoTimeoutException, NetmikoAuthenticationException @@ -31,6 +32,13 @@ def connect_and_query(ip, login_delay=3): } try: + # TCP pre-flight — bail before sending any credentials if port 22 is unreachable + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.settimeout(3) + if s.connect_ex((ip, SSH_PORT)) != 0: + logger.warning(f"{ip}: port {SSH_PORT} unreachable, skipping") + return {"success": False, "ip": ip, "error": "Host unreachable"} + logger.info(f"Connecting to {ip}...") # Allow legacy ssh-rsa keys used by FS switches