Add TCP pre-flight check before SSH to prevent RADIUS lockout

Unreachable hosts are detected via a 3s socket connect on SSH_PORT
before any credentials are sent. Truly offline switches now fail
fast without touching RADIUS/AD at all.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-12 20:44:06 +00:00
parent c8de2620c8
commit b19494bc2d
+8
View File
@@ -3,6 +3,7 @@ import re
import logging
import threading
import time
import socket
from concurrent.futures import ThreadPoolExecutor, as_completed
from functools import partial
from netmiko import ConnectHandler, NetmikoTimeoutException, NetmikoAuthenticationException
@@ -31,6 +32,13 @@ def connect_and_query(ip, login_delay=3):
}
try:
# TCP pre-flight — bail before sending any credentials if port 22 is unreachable
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(3)
if s.connect_ex((ip, SSH_PORT)) != 0:
logger.warning(f"{ip}: port {SSH_PORT} unreachable, skipping")
return {"success": False, "ip": ip, "error": "Host unreachable"}
logger.info(f"Connecting to {ip}...")
# Allow legacy ssh-rsa keys used by FS switches