Pointless 10 second login delay when using SSH keys

[toreanderson]

When logging in to a router using SSH keys (either with passphrase-less keys or with an SSH agent), Net::Netconf::Device->new() consistently takes 10 seconds to return a logged-in object. The reason is the following code at in Net::Netconf::Access::ssh:

# Send our password or passphrase
if ($ssh->expect(10, 'password:', 'Password:', '(yes/no)?', '-re', 'passphrase.*:')) {

(see https://github.com/Juniper/netconf-perl/blob/master/lib/Net/Netconf/Access/ssh.pm#L68)

The problem is that when you're using SSH keys, you will never be prompted for a password. Hence that 10 second timeout will happen every time. When attempting to manage a large number of devices in serial, this significantly lengthens the runtime of automation scripts.

IMHO, the best way to deal with this issue is to get rid of all the Expect crap and instead use an Perl implementation of SSH. (The best one available is probably Net::SSH2.) For what it's worth, I wrote a quick proof of concept Net::Netconf::Access subclass using Net::SSH::Perl::Subsystem::Client. I only required 48 lines of code (compared to the 134 in ssh.pm), so it got way simpler and much more robust than anything using Expect possibly can. And it doesn't have the 10 second login delay, of course. Let me know if you're interested in having a look at this, and I can send you a pull request.

[ganeshrn]

@toreanderson Thanks for the Pull request. Appreciate your contribution.
The initial version of library used Perl based SSH library only but it had lot of dependence and user were facing problem with that so we moved to expect.
Will evaluate if we can have support for both SSH and Expect version simultaneously.

[toreanderson]

Was that Net::SSH2 or some other library (like Net:.SSH::Perl)? I believe Net::SSH2 only depends on libssh2, so the current current Expect approach has both more dependencies (Tcl, Tk, OpenSSH), and those are also much more heavy-weight/larger than libssh2. This you can clearly see when installing the dependencies listed in the README on an Ubuntu 14.04 system (33.9 MB compared to 531 KB, and that excludes OpenSSH which was already installed):

tore@kvmtest:~$ sudo apt-get install libexpect-perl expect expect-dev tcl tcl-dev tk tk-dev
sudo: unable to resolve host kvmtest.i.bitbit.net
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libexpat1-dev libfontconfig1-dev libfreetype6-dev libice-dev libio-stty-perl
  libpng12-dev libpthread-stubs0-dev libsm-dev libtcl8.6 libtk8.6 libx11-dev
  libxau-dev libxcb1-dev libxdmcp-dev libxext-dev libxft-dev libxft2
  libxrender-dev libxss-dev libxss1 libxt-dev tcl8.6 tcl8.6-dev tk8.6
  tk8.6-dev x11proto-core-dev x11proto-input-dev x11proto-kb-dev
  x11proto-render-dev x11proto-scrnsaver-dev x11proto-xext-dev
  xorg-sgml-doctools xtrans-dev zlib1g-dev
Suggested packages:
  libice-doc libsm-doc libxcb-doc libxext-doc libxt-doc tcl-doc
  tcl-tclreadline tcl8.6-doc tk-doc tk8.6-doc
Recommended packages:
  libx11-doc xterm x-terminal-emulator
The following NEW packages will be installed:
  expect expect-dev libexpat1-dev libexpect-perl libfontconfig1-dev
  libfreetype6-dev libice-dev libio-stty-perl libpng12-dev
  libpthread-stubs0-dev libsm-dev libtcl8.6 libtk8.6 libx11-dev libxau-dev
  libxcb1-dev libxdmcp-dev libxext-dev libxft-dev libxft2 libxrender-dev
  libxss-dev libxss1 libxt-dev tcl tcl-dev tcl8.6 tcl8.6-dev tk tk-dev tk8.6
  tk8.6-dev x11proto-core-dev x11proto-input-dev x11proto-kb-dev
  x11proto-render-dev x11proto-scrnsaver-dev x11proto-xext-dev
  xorg-sgml-doctools xtrans-dev zlib1g-dev
0 upgraded, 41 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,196 kB of archives.
After this operation, 33.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
tore@kvmtest:~$ sudo apt-get install libnet-ssh2-perl
sudo: unable to resolve host kvmtest.i.bitbit.net
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libssh2-1
Recommended packages:
  libterm-readkey-perl
The following NEW packages will be installed:
  libnet-ssh2-perl libssh2-1
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 155 kB of archives.
After this operation, 531 kB of additional disk space will be used.
Do you want to continue? [Y/n] 

If reducing dependencies is a goal, you should definitively apply the patch. :-)

That said, it would certainly be possible to include both the current ssh.pm and my rewrite simultaneously. Just rename one of them, and let the user choose which one he prefers with Net::Netconf::Device->new(access => "foo"). I think my rewrite is the better choice for default, but I'll let you have the final say on that...

Tore

[Jainpriyal]

@toreanderson : can you please share your test cases that you used to check implementation of Net::SSH2. Meanwhile we are checking your pull request for backward compatibility and other issues.

[toreanderson]

I haven't any specific use cases, only our own provisioning scripts (that obviously are very specific to our network environment). We're using them for updating BGP prefix filters, provisioning VLANs, and so on. I replaced your Net::Netconf::Access::ssh with my own, and everything worked just as well as before (better, since there's no 10s login delay anymore). However the fix in 5fc53a3 was needed in order for the BGP prefix filter update script to work, as some of the filters were too large to write in one go.

[Jainpriyal]

@toreanderson : We tested your pull request #20 ,but all test files are getting terminated with following error

"Failed to start subsystem '' at /usr/local/share/perl/5.18.2/Net/Netconf/Device.pm line 179.

After applying below patch

 "$self->{'server'} = 'netconf' unless $self->{'server'};"  

in ssh.pm file before 'my $port = ' line, all programs are working fine. Can you please check your pull request and send a new request with required changes.

[toreanderson]

Fixed in 838acca, thanks! (All my scripts set server=>'netconf' explicitly, so I didn't notice this issue.)

[Jainpriyal]

@toreanderson Thanks for your contribution. We have merged your pull request, closing this issue, please reopen if required.