Sftp check error from paramiko package

praetorianer · April 19, 2022, 9:34am

**CMK version:1.6.0.p25
**OS version:CentOS Linux 7

**Error message:No handlers could be found for logger “paramiko.transport”

**Output of “/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp --verbose --user [user] --secret [pw] --port 21 --host [hostname]

No handlers could be found for logger “paramiko.transport”
Traceback (most recent call last):
File “/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp”, line 267, in
main()
File “/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp”, line 206, in main
client = connection()
File “/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp”, line 132, in connection
timeout=opt_timeout)
File “/omd/sites/live/lib/python/paramiko/client.py”, line 397, in connect
t.start_client(timeout=timeout)
File “/omd/sites/live/lib/python/paramiko/transport.py”, line 587, in start_client
raise e
paramiko.ssh_exception.SSHException: Error reading SSH protocol banner

paramiko is version 2.4.2

Python 2.7.5

any suggestions?

andreas-doehler · April 19, 2022, 9:55am

This is the real error message and points to a timeout for the connection.
There can be different reasons for such an error message.

praetorianer · April 19, 2022, 10:57am

TY @andreas-doehler yes there are more problems, but I still can’t figure them out.

now I get a time out

Traceback (most recent call last):
  File "/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp", line 267, in <module>
    main()
  File "/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp", line 206, in main
    client = connection()
  File "/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp", line 132, in connection
    timeout=opt_timeout)
  File "/omd/sites/live/lib/python/paramiko/client.py", line 343, in connect
    retry_on_signal(lambda: sock.connect(addr))
  File "/omd/sites/live/lib/python/paramiko/util.py", line 280, in retry_on_signal
    return function()
  File "/omd/sites/live/lib/python/paramiko/client.py", line 343, in <lambda>
    retry_on_signal(lambda: sock.connect(addr))
  File "/omd/sites/live/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
socket.timeout: timed out

is it because of the password that I have to set even if it’s not necessary to connect?

i used a key under /pmd/sites/[name]/.ssh/id_rsa

andreas-doehler · April 19, 2022, 11:15am

If you use a keyfile the command should look like.

./check_sftp --host HOSTNAME --user USERNAME --private-key-file /omd/sites/[name]/.ssh/id_rsa --port 21

In your command line is a password specified.

praetorianer · April 19, 2022, 12:35pm

Thank you again @andreas-doehler
I tested now with your suggested command but unfortunately dit not work

option --private-key not recognized

andreas-doehler · April 19, 2022, 12:59pm

The option is “–private-key-file”

praetorianer · April 19, 2022, 2:04pm

sure I tried this first
option --private-key-file not recognized

but then I checked my file (/opt/omd/versions/1.6.0p25.cee/lib/nagios/plugins/check_sftp) and its says

–private-key KEY Private Key for sftp login

I am stuck for min 3 months until I can think of the update to 2.x

andreas-doehler · April 19, 2022, 2:35pm

There is a bug inside the script in 1.6
Around line 102

    elif opt in ['--secret']:
        opt_pass = arg
    elif opt in ['--private-key']:
        opt_pass = arg

this should look like

    elif opt in ['--secret']:
        opt_pass = arg
    elif opt in ['--private-key']:
        opt_key = arg

thl-cmk · April 19, 2022, 4:30pm

Just a quick question, is your SFTP service really running on port 21 (FTP) usually SFTP runs on Port 22 (SSH/SCP/SFTP)?

praetorianer · April 20, 2022, 9:11am

ok i fixed this and also are curious about

77     'privat-key',
may should be 
77     'privat-key=',

also tried to set

62 opt_key = '~/.ssh/id_rsa'

@thl-cmk no it is not but also not 22

i tried to add

126     client.load_system_host_keys()

after researching Client — Paramiko documentation

still get option --private-key not recognized when i set --private-key variable
if not i get still

  File "./check_sftp", line 268, in <module>
    main()
  File "./check_sftp", line 207, in main
    client = connection()
  File "./check_sftp", line 133, in connection
    timeout=opt_timeout)
  File "/omd/sites/live/lib/python/paramiko/client.py", line 343, in connect
    retry_on_signal(lambda: sock.connect(addr))
  File "/omd/sites/live/lib/python/paramiko/util.py", line 280, in retry_on_signal
    return function()
  File "/omd/sites/live/lib/python/paramiko/client.py", line 343, in <lambda>
    retry_on_signal(lambda: sock.connect(addr))
  File "/omd/sites/live/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
KeyboardInterrupt

praetorianer · April 21, 2022, 1:07pm

is someone using sftp check with key file successful?

thl-cmk · April 22, 2022, 5:16pm

@praetorianer have done a little digging myself. Looks like there are more bugs in the check.

first at the same spot as @andreas-doehler said there is also a missing e (privat-key insted of private-key=. In my version of the check this is at line 139 in the def parse_arguments(sys_args): function.

- 139      'privat-key',
+ 139     'private-key=',

the second error is also in the def parse_arguments(sys_args): function. Not opt_pass but opt_key.

166       elif opt in ["--private-key"]:
167            opt_pass = arg

sould be

166       elif opt in ["--private-key"]:
167            opt_key = arg

And the main problem in the def connection(opt_key, opt_host, opt_user, opt_pass, opt_port, opt_timeout): function, in line 50. The pkey option needs to be the actual private key not the file holding the key… see here

48        client.connect(
49            opt_host, username=opt_user, pkey=opt_key, port=opt_port, timeout=opt_timeout
50        )

you can change this to key_filename. Note: the file path needs to be full qulified (not realtive), as there is no path expansion.

48        client.connect(
49            opt_host, username=opt_user, key_filename=opt_key, port=opt_port, timeout=opt_timeout
50        )

whith this changes, my version is at least able to login

OMD[build]:~/local/lib/nagios/plugins$ ./check_sftp --host openbsd --user checkmk --verbose --private-key /omd/sites/build/local/lib/nagios/plugins/checkmk 
Login successful

Hope this helps a little…

thl-cmk · April 22, 2022, 8:11pm

for the sake of completeness…

this was already fixed in werk 13347 in CMK version 2.1.0b1 and 2.0.0p12, so no need for a PR anymore

praetorianer · April 26, 2022, 6:31am

Thank You @thl-cmk yes sis was the last missing puzzle. Login check is fine until I have the change to move the prod system.

@andreas-doehler thanks also to you, I saw you around the corner, so would love to invite you to a beer or Mate at https://thereisno.camp/ this summer if you come around for a chat.

system · April 26, 2023, 6:32am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.