Hi there:
I am trying to connect to server which needs two authentication: public-key and password.
I always get the authentication failed exception when using paramiko to connect to server.
when I using sftp client, got the logs below:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /path/to/key
debug1: read PEM private key done: type RSA
Authenticated with partial success.
debug1: Authentications that can continue: password
debug1: Next authentication method: password
username@server's password:
debug1: Authentication succeeded (password).
and the paramiko logs show
DEB [20170213-18:00:28.247] thr=1 paramiko.transport: Switch to new keys ...
DEB [20170213-18:00:32.829] thr=1 paramiko.transport: userauth is OK
INF [20170213-18:00:32.879] thr=1 paramiko.transport: Authentication continues...
DEB [20170213-18:00:32.879] thr=1 paramiko.transport: Methods: [u'password']
INF [20170213-18:00:36.810] thr=1 paramiko.transport: Disconnect (code 7): The request to start service ssh-userauth while another service is against protocol.
here is my python code:
import paramiko
paramiko.util.log_to_file('/path/to/log')
hostname = 'server.name'
port = 12345
username = 'username'
password = 'password'
sshcon = paramiko.SSHClient()
sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy())
pkey = paramiko.RSAKey.from_private_key_file('/path/to/key')
transport = paramiko.Transport((hostname, port))
transport.connect()
transport.auth_publickey(username=username, key=pkey)
transport.auth_password(username=username, password=password)
possibly related to #840
Hi @ploxiln ,
thanks for the reply, but I think this issue is different from #840 .
I try to trace the code in paramiko, maybe it should not sent cMSG_SERVICE_REQUEST twice? And use cMSG_USERAUTH_REQUEST instead of it?
I have solved the problem and maybe there is a bug in paramiko?
Here is the code how I solved the problem
import paramiko
paramiko.util.log_to_file('/path/to/log')
hostname = 'server.name'
port = 12345
username = 'username'
password = 'password'
pkey = paramiko.RSAKey.from_private_key_file('/path/to/key')
transport = paramiko.Transport((hostname, port))
transport.connect()
# auth the public key as usual, auth service now is activated on server
transport.auth_publickey(username=username, key=pkey)
# try to send another userauth request without request auth service
m = paramiko.Message()
m.add_byte(paramiko.common.cMSG_USERAUTH_REQUEST)
m.add_string(username)
m.add_string('ssh-connection')
m.add_string('password')
m.add_boolean(False)
py3_password = paramiko.py3compat.bytestring(password)
m.add_string(py3_password)
transport._send_message(m)
# now it works! : )
sftp_client = paramiko.SFTPClient.from_transport(transport)
Maybe something like a service lock is need in AuthHandler module, in other to avoid requesting auth service twice?
Hi @bitprophet
FYI, the server of this case is vshell
@jacky15 Good to know, though unfortunately that makes it harder to test/troubleshoot, we almost exclusively deal with OpenSSH :(
That said it's definitely possible there are some state-machine/order-of-ops bugs regarding connecting that vserver is more sensitive to, which we could fix. I don't have time to dig right now but offhand if I were you I'd:
SSHClient behaves, it's a semi-canonical workflow for using Transport. Might hold a clue.Thanks!
Most helpful comment
I have solved the problem and maybe there is a bug in paramiko?
Here is the code how I solved the problem
Maybe something like a service lock is need in AuthHandler module, in other to avoid requesting auth service twice?