Inputs

May 8, 2026 ยท View on GitHub

Index

SSH

Disabling SSH exec channels

Oxidized uses exec channels to make information extraction simpler, but there are some situations where this doesn't work well, e.g. configuring devices. This feature can be turned off by setting the ssh_no_exec variable.

vars:
  ssh_no_exec: true

Disabling SSH keepalives

Oxidized SSH input makes use of SSH keepalives to prevent timeouts from slower devices and to quickly tear down stale sessions in larger deployments. There have been reports of SSH keepalives breaking compatibility with certain OS types. They can be disabled using the ssh_no_keepalive variable on a per-node basis (by specifying it in the source) or configured application-wide.

vars:
  ssh_no_keepalive: true

SSH Auth Methods

By default, Oxidized registers the following auth methods: none, publickey and password. However you can configure this globally, by groups, models or nodes.

vars:
  auth_methods: [ "none", "publickey", "password", "keyboard-interactive" ]

Public Key Authentication with SSH

Instead of password-based login, Oxidized can make use of key-based SSH authentication.

You can tell Oxidized to use one or more private keys globally, or specify the key to be used on a per-node basis. The latter can be done by mapping the ssh_keys variable through the active source.

Global:

vars:
  ssh_keys: "~/.ssh/id_rsa"

Per-Node:

# ...
map:
  name: 0
  model: 1
vars_map:
  enable: 2
  ssh_keys: 3
# ...

If you are using a non-standard path, especially when copying the private key via a secured channel, make sure that the permissions are set correctly:

foo@bar:~$ ls -la ~/.ssh/
total 20
drwx------ 2 oxidized oxidized 4096 Mar 13 17:03 .
drwx------ 5 oxidized oxidized 4096 Mar 13 21:40 ..
-r-------- 1 oxidized oxidized  103 Mar 13 17:03 authorized_keys
-rw------- 1 oxidized oxidized  399 Mar 13 17:02 id_ed25519
-rw-r--r-- 1 oxidized oxidized   94 Mar 13 17:02 id_ed25519.pub

Finally, multiple private keys can be specified as an array of file paths, such as ["~/.ssh/id_rsa", "~/.ssh/id_another_rsa"].

SSH Proxy Command

Oxidized can ssh through a proxy as well. To do so we just need to set ssh_proxy variable with the proxy host information and optionally set the ssh_proxy_port with the SSH port if it is not listening on port 22.

This can be provided on a per-node basis by mapping the proper fields from your source.

An example for a csv input source that maps the 4th field as the ssh_proxy value and the 5th field as ssh_proxy_port.

# ...
map:
  name: 0
  model: 1
vars_map:
  enable: 2
  ssh_proxy: 3
  ssh_proxy_port: 4
# ...

SSH enabling legacy algorithms

When connecting to older firmware over SSH, it is sometimes necessary to enable legacy/disabled settings like KexAlgorithms, HostKeyAlgorithms, MAC or the Encryption.

These settings can be provided on a per-node basis by mapping the ssh_kex, ssh_host_key, ssh_hmac and the ssh_encryption fields from you source.

# ...
map:
  name: 0
  model: 1
vars_map:
  enable: 2
  ssh_kex: 3
  ssh_host_key: 4
  ssh_hmac: 5
  ssh_encryption: 6
# ...

Custom SSH port

Set the variable ssh_port to the desired value (default is 22).

SSH Host key verification

With the configuration `secure', you can set the ssh key verification:

  • true: strict host verification, looking up the known host files
  • false (default): disable host verification, accept any ssh key
input:
  ssh:
    secure: true

SCP

SSH Host key verification (SCP)

Same as for SSH host key verification

input:
  scp:
    secure: true

Custom SCP port

Set the variable ssh_port to the desired value (default is 22).

FTP

FTP Passive Mode

Oxidized uses ftp passive mode by default. Some devices require passive mode to be disabled. To do so, we can set input.ftp.passive to false - this will make use of FTP active mode.

input:
  ftp:
    passive: false

HTTP

Supported HTTP Methods

The HTTP input supports the following HTTP methods:

  • :get - for GET requests
  • :post - for POST requests

These methods are used internally by models that require HTTP-based configuration retrieval. Models can use get_http() and post_http() methods provided by the HTTP input.

Example usage in a model:

cfg :http do
  post_response = post_http('/some/path', payload, 'Some-Extra-Header' => 'value')
  get_response  = get_http('/some/path')
end

HTTP input can be enabled by adding this block to the configuration file:

input:
  http:
    scheme: https
    ssl_verify: true
    timeout: 30

Debugging

In case a model plugin doesn't work correctly (ios, procurve, etc.), you can enable live debugging of SSH and Telnet sessions with the debug option of the input section.

Starting with version 0.37.0, debug can take different values:

  • text: log input and output to a text file (ssh, telnet)
  • yaml: produce a yaml simulation file (ssh, scp)
  • library: activate debug logging of the underlying library
  • a combination of the options above (text, yaml)
  • true; activate all debugging options (Only option for versions prior 0.37.0)

The log files will be created in ~/.config/oxidized/logs/ (or $OXIDIZED_LOGS/logs/).

The following example will log an active ssh/telnet session to ~/.config/oxidized/logs/<IP-Address>-<PROTOCOL>-<timestamp>.txt and for ssh ~/.config/oxidized/logs/<IP-Address>-<PROTOCOL>-<timestamp>.yaml. A new file is created for each session.

input:
  default: ssh, telnet
  debug: yaml, text
  ssh:
    secure: false
  http:
    ssl_verify: true