0

I'm running docker Yang Development Kit for python ydk-py in my remote server Linux Ubuntu. I would like to Establish a connection using the following command in there.

(ydk-py)samples$ ./bgp.py --host <ip-address-of-netconf-server> -u <username> -p <password> --port <port-number>

Where the host is an EC2 instance in AWS. I used to access in EC2 instance via ssh from my machine, where I got the downloaded ssh key.

The following parameters are known --host <ip-address-of-netconf-server> -u <username> but how can I get the password and the port?

In an another word, how to establish NETCONF sessions remove server to Cisco CSR 1000v using the downloaded RSA key?

Improve this question
5
  • What does bgp.py actually contain. Did you write it or is it part of the ydk package? Can you add the contents if short enough, or gist if longer? If these are just the credentials for an ssh connection, the port should be a default of 22. However it's probably bad practice to enter passwords at the command line like this, and I don't think EC2 instances support password authentication out of the box. Perhaps with some edits to the script you could make it use key auth as you mentioned you've done before. Commented Jan 18, 2019 at 12:26
  • @v25 yes, that's the point. Do I need to create IAM user for that purpose? bgp.py is just a sample code from [github.com/CiscoDevNet/ydk-py/blob/master/core/samples/bgp.py] Commented Jan 18, 2019 at 12:29
  • I found a doc for this script here, but it has no mention of pub key auth. I'm struggling to understand what this does. What's meant to happen once this connects? Going through the docs suggests this connects to a Cisco router to do configuration, or am I missing something? If you're connecting to another remote EC2, what's running there? Please clarify the server/client components of this setup. Are you running a netconf server on another EC2 instance? If so what software powers that? Commented Jan 18, 2019 at 13:11
  • @v25 I'm using CSR 1000v that is deployed in EC2 instance. I want to establish SSH connection between the EC2 instance and my remote server based-linux using the python script which is in the link in my previous comment. If you would take a look, HOST, USERNAME and PASSWORK are needed to establish the connection between these two. It happens that I use SSH key downloaeded from AWS console in order to access to the EC2 instance. The problem here, is that I don't know the EC2-USER password of the EC2 instance. Commented Jan 18, 2019 at 13:54
  • Can you try -u cisco1 -p cisco1 --port 830 as per this guide which is actually for IOS XE 16.x Platforms. I've searched arond but can't find anything more specific for default user/pass combo in relation to the AMI of this. Commented Jan 18, 2019 at 16:14

2 Answers 2

Reset to default
1

Oaky, I'm going to have a stab at an answer. This might not get you all the way but hopefully it's a starting point.

EC2

I think the problem you are actually facing is AWS require you to authenticate to your v1000 instance with a key, but YDK is built with password authentication in mind. You could try to hack the instance and enable password authentication, but I wouldn't say this is preferable.

Looks like Netconf runs on port 830 but all the AWS guides that touch on SSH access refer to shelling into the linux instance itself, unless I've misunderstood.

Cisco's guide has a section on Connecting to the CSR 1000v Instance using SSH:

The Cisco CSR 1000v instance on AWS requires SSH for console access. To access the Cisco CSR 1000v AMI, perform the following steps [snip]

ssh -i pem-file-name ec2-user @[public-ipaddress | DNS-name ]

This doesn't mention anything about port 830

Configuring the keys for this, which is mentnioned earlier in the guide, sounds similar to setting up keys for any EC2 linux instance, and should probably work with an IAM user for that purpose as you mention.

YANG

I've searched all around for information on ydk-py and key authentication but found nothing. There is some mention of keys, but usually for accessing the system which hosts ydk-py not the connection to the Cisco box.

However the repo you linked appears to be using ydk.providers.NetconfServiceProvider which is a Python wrapper for C++ NetconfServiceProvider. According to this link, keys are supported:

  • private_key_path – (str) Path to private key file. Requires public_key_path field. Doesn’t allow password field.
  • public_key_path – (str) Path to public key file. Requires private_key_path field. Doesn’t allow password field.

Let's have a look at how bgp.py implements this. It's actually in the file session_mgr.py. This code processes the arugments you pass on the command line:

 parser = OptionParser(usage, formatter=HelpFormatterWithLineBreaks()) parser.add_option("-v", "--version", dest="version", help="force NETCONF version 1.0 or 1.1") parser.add_option("-u", "--user", dest="username", default="admin") parser.add_option("-p", "--password", dest="password", default="admin", help="password") parser.add_option("--proto", dest="proto", default="ssh", help="Which transport protocol to use, one of ssh or tcp") parser.add_option("--host", dest="host", default="localhost", help="NETCONF agent hostname") parser.add_option("--port", dest="port", default=830, type="int", help="NETCONF agent SSH port")

Then just below, an instance is created.

ne = NetconfServiceProvider(address=o.host, port=o.port, username = o.username, password = o.password, protocol = o.proto)

So at this stage you could try passing in private_key_path set to the PEM file of your AMI user.

However this then raises the question: why the default port 830? It seems this might be a separate keypair from what was set up previously. Or maybe I'm not understanding. Is the shell access granted to the AMI image actually netconf with keys? Perhaps someone with more Cisco knowledge could contribute to this.

Searching for documenation on changing the netconf credentials on this AWS version of CSRV1000 doesn't bring up much either. As I mentioned in the comments, there is a guide which suggests the combo is cisco1/cisco1.

Not a full solution but hopefully this is of some assistance.

Improve this answer
4
  • Thanks, @v25 for the answer. I decided before I run a complicated sample, I rather start with a very simple one. The given example here is very simple [github.com/CiscoDevNet/ydk-py-samples] (github link). I added exactly what you asked about passing a private_key_path as parameter for NetconfServiceProvider, and this is what I got Invoked with: kwargs: username='ec2-user', protocol='ssh', address='ec2-35-xxxxxx-us-west-2.compute.amazonaws.com', private_key_path='mykey.pem', ... Obviously there is problem with private_key_path. Commented Jan 18, 2019 at 17:14
  • @KhalilMebarkia You may have more sucess with this query on the github issue logger for ydk-py, as there may be technicalities with passing this variable in. I could accept nobody has tried this software with the AWS EC2 delpoyment of csr1000v specifically, but I find it unlikely that nobody has used key auth for this ever. Commented Jan 18, 2019 at 21:53
  • still did not work :/ it's frustrating Commented Jan 24, 2019 at 10:01
  • @KhalilMebarkia I've posted a suggested on the github issue. Commented Jan 24, 2019 at 15:21
0

I have managed to find the solution.

In the router:

(config)#user any-user-name privilege 15 secret supersecretpassword

Then, it worked! Thanks to anyone who tried to help :)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.