github kulunkilabs/vibenetbackup v1.6.8
on GitHub

12 hours ago

What's in v1.6.8

Single-bug patch release. Strictly additive — no schema changes, no breaking changes, no required user action.

The bug

Backups via Netmiko or SCP through an SSH jump-host failed with No authentication methods available whenever the proxy credential used SSH key auth. Sample log from a real deployment: 

[INFO]  netmiko_engine: opening proxy jump 10.2.1.10:7006 → 172.22.30.9:22 (proxy user: oxidized)
[INFO]  paramiko.transport: Connected (version 2.0, client OpenSSH_9.2p1)
[ERROR] backup_service: Backup failed for mp-sw1: Netmiko error on mp-sw1: No authentication methods available

TCP connect to the jump host succeeded — auth failed because the proxy code path only ever passed password=... to paramiko, with look_for_keys=False and allow_agent=False. If the proxy credential had no password (only a key), paramiko had zero auth methods to try and gave up immediately. Same problem hit the SCP engine's device-level connect, where direct (non-proxy) SCP also couldn't authenticate with a key alone.

The fix

New shared module app/modules/engines/ssh_auth.py with four helpers:

Helper What it does
require_ssh_auth(cred, purpose) Validates the credential has at least one auth method (password OR key) and raises a clear ValueError if not
client_connect_kwargs(host, port, cred, purpose) Returns the kwargs dict for paramiko.SSHClient.connect: sets key_filename when ssh_key_path is present, password when a password is present, both when both are. If both are configured, paramiko tries the key first and falls back to the password
connect_transport(transport, cred, purpose) Same logic for the lower-level paramiko.Transport API used by SCP — auth_publickey first, password fallback
load_private_key(path, password) Loads a private key, trying Ed25519 / RSA / ECDSA / DSA in order

Both engines now route through this helper:

  • netmiko_engine._open_proxy() — proxy connect
  • scp_engine._open_proxy() — proxy connect
  • scp_engine._make_transport() — device-level transport (gains key support it never had before)

Verified

  • 6 new unit tests in tests/test_ssh_auth.py covering password-only, key-only, both, neither (raises), and missing username (raises)
  • Full suite: 56 passed, 1 skipped (was 50 + 1 before)
  • Original repro environment (proxy user oxidized over key auth) now succeeds without changes to the Credential row

Upgrading

Pull and restart — that's it. Existing devices/proxies configured with passwords keep working unchanged. Users who had hit No authentication methods available on key-auth jump hosts will now succeed.

  • Docker: docker compose pull && docker compose up -d
  • Shell / systemd: rerun install.sh

Commits

  • 8049dccv1.6.8: SSH proxy / SCP honor key-based auth
Check out latest releases or
releases around kulunkilabs/vibenetbackup v1.6.8

Don't miss a new vibenetbackup release

NewReleases is sending notifications on new releases.

Get notifications