iDRAC8 2.70.70.70 SSH keyboard interactive authentication

I am not aware of a method to disable that security feature. I suggest checking to see if something like SNMP can be used in place of SSH.

Having the same problem here, since updating a few iDracs to 2.70.70.70 our scripts can not longer log into our iDracs because they respond "Publickey or keyboard-interactive" instead of "Publickey or Password" when connecting via Pythons Paramiko.

You can try the following patch in paramiko client.py:

         if password is not None:
             try:
-                self._transport.auth_password(username, password)
-                return
+                self._log(DEBUG, "trying password")
+                allowed_types = self._transport.auth_password(username, password)
+                if not allowed_types:
+                    return
             except SSHException as e:
                 saved_exception = e
-        elif two_factor:
+        if 'keyboard-interactive' in allowed_types:
             try:
+                self._log(DEBUG, "trying interactive")
                 self._transport.auth_interactive_dumb(username)
                 return

Same. I'm using the same asset scanning software as the OP. It's broken now as of the most recent iDRAC updates. (Also, seemingly, 2.65.65.65 for my R620's iDRAC7. Was working just fine before.)

Please either make available the option to disable the keyboard-interactive auth or retro the feature all together. 

Hey there,

this is a security-related feature and can't be deactivated. Please refer to the iDRAC 8 User’s Guide:

https://dell.to/2A4WbVX

Cheers
Stefan

So this feature - which was added by Dell in a firmware upgrade - has broken things for us - the user -...and what I'm hearing is, "We're not going to fix it - nor are we going to give the user the option to disable this feature on the hardware that they own." followed by a random instruction to read the iDRAC8 manual as though that will somehow help.

Unhelpful. 

Maybe find a way to give us the ability to control our hardware however we choose instead of making these choices for us? Consider adding the ability to disable it in a new release. Seems only proper that if we're spending money on this hardware that we are granted the ability to do with it as we see fit.

Guess I'll just roll back the firmware then.

I'm trying out the 2.75.75.75 firmware for iDRAC 8. This problem (yes "PROBLEM") still persists.

Where is the option to disable this "Keyboard interactive authentication"?

As a customer, I have zero concern for Dell's opinion on whether or not the customer's hand should be held. I want control of my hardware.

This arbitrary, intrusive decision on Dell's part to take it upon themselves to decide these things for us is an inconvenience and it needs to be resolved.

So where is the solution? It is unhelpful to link us to manuals that will obviously yield nothing of relevance.

Please help us figure this out.

Hello @cyrylthewolf,

I understand your point and obviously I can see this is an inconvenience for you and other customers. I can also understand this change will have an impact on customers who are using this protocol for certain functionalities. I am sorry for this.

However, you need to understand that this is, as my colleague @DELL-Stefan R mentioned, a security-related feature. Maybe there is no reason for you to put this functionality in place in terms of security. Maybe you don't care about this and it is perfectly fine in your environment. But from the security perspective is not a matter of "opinion" as you said. It is a matter of security.

The decision behind setting up the Keyboard interactive authentication requirement was made to enhance the security of the SSH connection protocol after several vulnerabilities and exploits were discovered. It's not an arbitrary decision. It's a decision based on the industry security standards and best practice (RFC 4256).

Regards.

I reject your reply for one, simple reason. You are not addressing the complete scope of my comment.

You may recall that, in my comment, I mentioned the ability to disable the functionality.

The decision to not include that ability - to give us the option to disable this function - IS arbitrary. The decision to FORCE the use of this security feature on us - "like it or not" - is arbitrary.

We don't need you to explain security and how it evolves. (Especially because, nowhere that I can see in the RFC doc do I see that this is REQUIRED security.)

This is a SIMPLE solution. Give us the option to DISABLE this function. Plain and simple. Enable it by default if you wish. But give us the ability to DISABLE IT.

This is not a complex concept. Why is it being treated as such?

Hello again @cyrylthewolf,

The security vulnerability I was talking about is CVE-2015-5600. You can look for more information about it on the Internet.

The iDRAC SSHServer including “keyboard interactive authentication” to provide enhanced security started with iDRAC Firmware 2.70.70.70 and iDRAC Firmware 4.00.00.00 (depends on Server model).

As far as I know, there are no plans to remove this functionality or allow it to be disabled. You need to rollback to a prior version of 2.70.70.70 if you want this to be gone.

Finally, if you have setup automation which leverages ssh sessions, you need to ensure that library supports "interactive authentication". 

Sorry I cannot offer you a better solution.

Regards.

Hello again @cyrylthewolf,

Just a quick note: I said: "You need to rollback to a prior version of 2.70.70.70 if you want this to be gone." A "prior version of" means a lower version, like 2.63.60.61, or 2.62, or 2.61... Obviously, if you roll back to the 2.70 will not make it because the change was introduced in this version. (It's right there - in my message.)

This information has been confirmed in our internal Knowledge Base, which is created by our senior engineers. Despite that we'll reach out to them to double check if there are any possibilities to disable the mentioned option. It may take some time before we get back to you. But as soon as I have an answer I will let you know.

Regards.

So now you want to play a petty game of grammar here? OK.

You said: "You need to rollback to a prior version of 2.70.70.70 if you want this to be gone."

Tell me... Just how many revisions of 2.70.70.70 are there? I've never known Dell to use build numbers in their versioning... (e.g. 2.70.70.70.xxxx)

That sentence literally said to use "a prior version of" the thing we are discussing which is a specific version of firmware. (v2.70.70.70.) If you meant to instruct me to use an older version... What you should have said was, "You need to roll back to a version prior to 2.70.70.70."

Do you now understand where YOU failed to articulate your speech in such a way that conveys the actual statement you were trying to make?

And had you just at least offered to pass this information (read: request)  along to actual engineers or get some proper feedback in the first place, we wouldn't be here where we now find ourselves. (Playing a petty grammar game.)

Additionally... Had you just said in your last message that you would speak to engineers, I would have actually just simply thanked you.

But... You decided that snark was a better route. So be it. Let us know what they say. I WILL be waiting.

hi pavel I dm'ed you I can't get that code snippet to work on paramiko can you help please?

I also posted to stack overflow to see if someone can get me past that stupid keyboard authentication 

https://stackoverflow.com/questions/63040634/connecting-ssh-client-with-paramiko-using-python-to-dell-idrac-fails

thanks

nvm I figured it out didn't know there was a method to send a fake entry to the connection no need to edit the client.py file

here is my method to connect if anyone needs it 

def connectSSH(my_file, user_name, password):
    ip = str(my_file.split(',')[0]).strip()
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        ssh.connect(ip, 22, user_name, password)
        (ssh.get_transport()).auth_interactive_dumb(user_name)
        return ssh
    except:
        with open(f'{ip}.txt', 'a') as f:
            f.writelines(ip + '\t COULDN\'T CONNECT\n')