Disable paramiko keyboard-interactive auth fallback

Patches Transport.auth_password at module load to default fallback=False,
ensuring each switch produces exactly one RADIUS/AD auth attempt instead
of two. Also moves the paramiko.transport import to module level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-12 20:46:00 +00:00
parent b19494bc2d
commit ece8193967
+8 -1
View File
@@ -14,6 +14,14 @@ from parser import (parse_lldp_neighbors, parse_mgmt_ip_from_interfaces,
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
# Disable paramiko's keyboard-interactive fallback so each switch gets exactly
# one auth attempt against RADIUS/AD instead of two.
import paramiko.transport as _pt
_orig_auth_password = _pt.Transport.auth_password
def _auth_password_no_fallback(self, username, password, event=None, fallback=False):
return _orig_auth_password(self, username, password, event=event, fallback=fallback)
_pt.Transport.auth_password = _auth_password_no_fallback
# Serialise SSH logins — only one handshake/auth at a time to avoid RADIUS lockout # Serialise SSH logins — only one handshake/auth at a time to avoid RADIUS lockout
_login_lock = threading.Semaphore(1) _login_lock = threading.Semaphore(1)
@@ -42,7 +50,6 @@ def connect_and_query(ip, login_delay=3):
logger.info(f"Connecting to {ip}...") logger.info(f"Connecting to {ip}...")
# Allow legacy ssh-rsa keys used by FS switches # Allow legacy ssh-rsa keys used by FS switches
import paramiko.transport as _pt
_orig_preferred_keys = _pt.Transport._preferred_keys _orig_preferred_keys = _pt.Transport._preferred_keys
_pt.Transport._preferred_keys = ( _pt.Transport._preferred_keys = (
"ssh-rsa", "rsa-sha2-256", "rsa-sha2-512", "ssh-rsa", "rsa-sha2-256", "rsa-sha2-512",