SSH and Paramiko

SSH (Secure Shell) is the primary protocol for accessing network device CLIs securely. Paramiko is a pure-Python implementation of SSHv2 that gives you programmatic control over SSH connections — the building block on which higher-level libraries like Netmiko are built.

---

SSH Fundamentals

What is SSH?

SSH provides encrypted communication between a client and a server over an untrusted network:

Feature	Description
Encryption	All traffic is encrypted (AES, ChaCha20)
Authentication	Password or public-key based
Integrity	HMAC ensures data is not tampered with
Port	Default TCP port 22
Replaces	Telnet (port 23), which sends everything in cleartext

SSH Authentication Methods

Method	Description	Security
Password	User provides a username and password	Moderate — vulnerable to brute force
Public key	Client proves identity with a private key; server has the public key	Strong — no password transmitted
Keyboard-interactive	Server prompts for responses (e.g., MFA)	Strong — supports multi-factor

Key Exchange Process

Client                          Server
  │                               │
  │── TCP 3-way handshake ──────>│
  │<─ SSH version exchange ──────│
  │── Key exchange (DH / ECDH) ─>│
  │<─ Server host key ───────────│
  │── Authentication ───────────>│
  │<─ Session established ───────│
  │── Encrypted commands ──────>│
  │<─ Encrypted responses ──────│

---

Paramiko Overview

Paramiko is a low-level SSH library for Python. It provides:

• SSHClient — high-level interface for running commands
• Transport — low-level control over the SSH connection
• SFTPClient — file transfer over SSH
• Channel — interactive shell sessions (needed for network devices)

Installation

pip install paramiko

---

Basic Command Execution

The simplest use of Paramiko is running a command on a remote Linux server:

import paramiko

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

client.connect(
    hostname="192.168.1.10",
    port=22,
    username="admin",
    password="secret",
    timeout=10,
)

stdin, stdout, stderr = client.exec_command("show version")
output = stdout.read().decode("utf-8")
print(output)

client.close()

Warning: AutoAddPolicy() accepts any host key without verification. For production, use RejectPolicy() or load known hosts with client.load_system_host_keys().

---

The Network Device Challenge

The exec_command() method works for Linux servers, but most network devices (Cisco IOS, Arista EOS, etc.) do not support SSH exec channels. Instead, they provide an interactive shell:

Server Type	SSH Channel	Paramiko Method
Linux server	exec	exec_command()
Network device	interactive shell	invoke_shell()

---

Interactive Shell Sessions

For network devices, you must use invoke_shell() and manage the send/receive cycle yourself:

import paramiko
import time

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

client.connect(
    hostname="192.168.1.1",
    username="admin",
    password="secret",
    timeout=10,
)

# Open an interactive shell
shell = client.invoke_shell()
time.sleep(1)  # Wait for the device to send its banner

# Read the initial output (banner, prompt)
output = shell.recv(65535).decode("utf-8")
print(output)

# Send a command
shell.send("show ip interface brief\n")
time.sleep(2)  # Wait for the output

# Read the response
output = shell.recv(65535).decode("utf-8")
print(output)

# Send another command
shell.send("show version\n")
time.sleep(2)

output = shell.recv(65535).decode("utf-8")
print(output)

client.close()

---