From ece8193967833cfaf1e7920869f1b4a60d33abca Mon Sep 17 00:00:00 2001 From: D Stephenson Date: Tue, 12 May 2026 20:46:00 +0000 Subject: [PATCH] Disable paramiko keyboard-interactive auth fallback Patches Transport.auth_password at module load to default fallback=False, ensuring each switch produces exactly one RADIUS/AD auth attempt instead of two. Also moves the paramiko.transport import to module level. Co-Authored-By: Claude Sonnet 4.6 --- ssh_client.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ssh_client.py b/ssh_client.py index f299f95..e832570 100644 --- a/ssh_client.py +++ b/ssh_client.py @@ -14,6 +14,14 @@ from parser import (parse_lldp_neighbors, parse_mgmt_ip_from_interfaces, logger = logging.getLogger(__name__) +# Disable paramiko's keyboard-interactive fallback so each switch gets exactly +# one auth attempt against RADIUS/AD instead of two. +import paramiko.transport as _pt +_orig_auth_password = _pt.Transport.auth_password +def _auth_password_no_fallback(self, username, password, event=None, fallback=False): + return _orig_auth_password(self, username, password, event=event, fallback=fallback) +_pt.Transport.auth_password = _auth_password_no_fallback + # Serialise SSH logins — only one handshake/auth at a time to avoid RADIUS lockout _login_lock = threading.Semaphore(1) @@ -42,7 +50,6 @@ def connect_and_query(ip, login_delay=3): logger.info(f"Connecting to {ip}...") # Allow legacy ssh-rsa keys used by FS switches - import paramiko.transport as _pt _orig_preferred_keys = _pt.Transport._preferred_keys _pt.Transport._preferred_keys = ( "ssh-rsa", "rsa-sha2-256", "rsa-sha2-512",