Add ngs_ssh_disabled_algorithms setting

This requires netmiko >= 4.0.0 and paramiko >= 2.6.0 so that the following
change is available: ktbyers/netmiko#2646

Change-Id: I6f5d520a1ce5750e2feda9119edfcda9471a1fad

Author: jonglezb

doc/source/configuration.rst

@@ -386,3 +386,26 @@ If no physical network is declared in a switch configuration, then VLANs for
 all physical networks will be created on this switch.
 
 Note that this option is only used if ``ngs_manage_vlans = True``.
+
+SSH algorithm configuration
+===========================
+
+You may need to tune the SSH negotiation process for some devices.  Reasons
+include using a faster key exchange algorithm, disabling an algorithm that
+has a buggy implementation on the target device, or working around limitations
+related to FIPS requirements.
+
+The ``ngs_ssh_disabled_algorithms`` configuration parameter allows to selectively
+disable algorithms of a given type (key exchange, cipher, MAC, etc). It is based
+on `Paramiko's disabled_algorithms setting
+<https://docs.paramiko.org/en/stable/api/transport.html#paramiko.transport.Transport.__init__>`__.
+
+The format is a list of ``<type>:<algorithm>`` entries to disable. The same type
+can be repeated several times with different algorithms. Here is an example configuration::
+
+    [genericswitch:device-hostname]
+    ngs_ssh_disabled_algorithms = kex:diffie-hellman-group-exchange-sha1, ciphers:blowfish-cbc, ciphers:3des-cbc
+
+As of Paramiko 2.9.1, the valid types are ``ciphers``, ``macs``, ``keys``, ``pubkeys``,
+``kex``, ``gsskex``.  However, this might change depending on the version of Paramiko.
+Check Paramiko source code or documentation to determine the accepted algorithm types.

networking_generic_switch/devices/__init__.py

@@ -14,6 +14,7 @@
 
 import abc
 
+from neutron_lib.utils.helpers import parse_mappings
 from oslo_log import log as logging
 from oslo_utils import strutils
 import stevedore
@@ -31,6 +32,9 @@
     {'name': 'ngs_port_default_vlan'},
     # Comma-separated list of physical networks to which this switch is mapped.
     {'name': 'ngs_physical_networks'},
+    # Comma-separated list of entries formatted as "<type>:<algorithm>",
+    # specifying SSH algorithms to disable.
+    {'name': 'ngs_ssh_disabled_algorithms'},
     {'name': 'ngs_ssh_connect_timeout', 'default': 60},
     {'name': 'ngs_ssh_connect_interval', 'default': 10},
     {'name': 'ngs_max_connections', 'default': 1},
@@ -139,6 +143,18 @@ def _get_network_name(self, network_id, segmentation_id):
         return network_name_format.format(network_id=network_id,
                                           segmentation_id=segmentation_id)
 
+    def _get_ssh_disabled_algorithms(self):
+        """Return a dict of SSH algorithms to disable.
+
+        The dict is in a suitable format for feeding to Netmiko/Paramiko.
+        """
+        algorithms = self.ngs_config.get('ngs_ssh_disabled_algorithms')
+        if not algorithms:
+            return {}
+        # Builds a dict: keys are types, values are list of algorithms
+        return parse_mappings(algorithms.split(','), unique_keys=False,
+                              unique_values=False)
+
     def _do_vlan_management(self):
         """Check if drivers should add and remove VLANs from switches."""
         return strutils.bool_from_string(self.ngs_config['ngs_manage_vlans'])

networking_generic_switch/devices/netmiko_devices/__init__.py

@@ -108,6 +108,11 @@ def __init__(self, device_cfg):
             raise exc.GenericSwitchNetmikoNotSupported(
                 device_type=device_type)
         self.config['device_type'] = device_type
+        # Don't pass disabled_algorithms by default to keep compatibility
+        # with older versions of Netmiko.
+        disabled_algorithms = self._get_ssh_disabled_algorithms()
+        if disabled_algorithms:
+            self.config['disabled_algorithms'] = disabled_algorithms
         if CONF.ngs.session_log_file:
             self.config['session_log'] = CONF.ngs.session_log_file
             self.config['session_log_record_writes'] = True

networking_generic_switch/tests/unit/test_devices.py

@@ -202,3 +202,19 @@ def test__get_network_name_both(self):
         device = FakeDevice(device_cfg)
         name = device._get_network_name('fake-id', 22)
         self.assertEqual('fake-id_net_22', name)
+
+    def test__get_ssh_disabled_algorithms(self):
+        algos = (
+            "kex:diffie-hellman-group-exchange-sha1, "
+            "ciphers:blowfish-cbc, ciphers:3des-cbc"
+        )
+        device_cfg = {
+            "ngs_ssh_disabled_algorithms": algos
+        }
+        device = FakeDevice(device_cfg)
+        algos = device._get_ssh_disabled_algorithms()
+        expected = {
+            "kex": ["diffie-hellman-group-exchange-sha1"],
+            "ciphers": ["blowfish-cbc", "3des-cbc"],
+        }
+        self.assertEqual(expected, algos)

releasenotes/notes/add-ngs_ssh_disabled_algorithms-dfe3e805f480ce90.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add new device setting ``ngs_ssh_disabled_algorithms``.  This allows to
+    selectively disable SSH algorithms of various types, which may help to
+    speed up SSH connection (faster key exchange algorithm) or to workaround
+    buggy SSH implementations found on some devices.