Paramiko: 2-Factor authentication is not working

Created on 13 Feb 2017  ·  5Comments  ·  Source: paramiko/paramiko

Hi there:

I am trying to connect to server which needs two authentication: public-key and password.
I always get the authentication failed exception when using paramiko to connect to server.

when I using sftp client, got the logs below:

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /path/to/key
debug1: read PEM private key done: type RSA
Authenticated with partial success.
debug1: Authentications that can continue: password
debug1: Next authentication method: password
username@server's password: 
debug1: Authentication succeeded (password).

and the paramiko logs show

DEB [20170213-18:00:28.247] thr=1   paramiko.transport: Switch to new keys ...
DEB [20170213-18:00:32.829] thr=1   paramiko.transport: userauth is OK
INF [20170213-18:00:32.879] thr=1   paramiko.transport: Authentication continues...
DEB [20170213-18:00:32.879] thr=1   paramiko.transport: Methods: [u'password']
INF [20170213-18:00:36.810] thr=1   paramiko.transport: Disconnect (code 7): The request to start service ssh-userauth while another service is against protocol. 

here is my python code:

import paramiko
paramiko.util.log_to_file('/path/to/log')
hostname = 'server.name'
port = 12345
username = 'username'
password = 'password'
sshcon   = paramiko.SSHClient()
sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 
pkey = paramiko.RSAKey.from_private_key_file('/path/to/key')

transport = paramiko.Transport((hostname, port))
transport.connect()
transport.auth_publickey(username=username, key=pkey)
transport.auth_password(username=username, password=password)
Bug Needs investigation Nonstandard platforms

Most helpful comment

I have solved the problem and maybe there is a bug in paramiko?
Here is the code how I solved the problem

import paramiko
paramiko.util.log_to_file('/path/to/log')
hostname = 'server.name'
port = 12345
username = 'username'
password = 'password' 
pkey = paramiko.RSAKey.from_private_key_file('/path/to/key')

transport = paramiko.Transport((hostname, port))
transport.connect()

# auth the public key as usual, auth service now is activated on server 
transport.auth_publickey(username=username, key=pkey)

# try to send another userauth request without request auth service
m = paramiko.Message()
m.add_byte(paramiko.common.cMSG_USERAUTH_REQUEST)
m.add_string(username)
m.add_string('ssh-connection')
m.add_string('password')
m.add_boolean(False)
py3_password = paramiko.py3compat.bytestring(password)
m.add_string(py3_password)
transport._send_message(m)

# now it works! : )
sftp_client = paramiko.SFTPClient.from_transport(transport)

Maybe something like a service lock is need in AuthHandler module, in other to avoid requesting auth service twice?

All 5 comments

possibly related to #840

Hi @ploxiln ,
thanks for the reply, but I think this issue is different from #840 .

I try to trace the code in paramiko, maybe it should not sent cMSG_SERVICE_REQUEST twice? And use cMSG_USERAUTH_REQUEST instead of it?

I have solved the problem and maybe there is a bug in paramiko?
Here is the code how I solved the problem

import paramiko
paramiko.util.log_to_file('/path/to/log')
hostname = 'server.name'
port = 12345
username = 'username'
password = 'password' 
pkey = paramiko.RSAKey.from_private_key_file('/path/to/key')

transport = paramiko.Transport((hostname, port))
transport.connect()

# auth the public key as usual, auth service now is activated on server 
transport.auth_publickey(username=username, key=pkey)

# try to send another userauth request without request auth service
m = paramiko.Message()
m.add_byte(paramiko.common.cMSG_USERAUTH_REQUEST)
m.add_string(username)
m.add_string('ssh-connection')
m.add_string('password')
m.add_boolean(False)
py3_password = paramiko.py3compat.bytestring(password)
m.add_string(py3_password)
transport._send_message(m)

# now it works! : )
sftp_client = paramiko.SFTPClient.from_transport(transport)

Maybe something like a service lock is need in AuthHandler module, in other to avoid requesting auth service twice?

Hi @bitprophet

FYI, the server of this case is vshell

@jacky15 Good to know, though unfortunately that makes it harder to test/troubleshoot, we almost exclusively deal with OpenSSH :(

That said it's definitely possible there are some state-machine/order-of-ops bugs regarding connecting that vserver is more sensitive to, which we could fix. I don't have time to dig right now but offhand if I were you I'd:

  • doublecheck what you're doing in both snippets against how SSHClient behaves, it's a semi-canonical workflow for using Transport. Might hold a clue.
  • search for other tickets relating to what you think the issue might be (re: extra MSG_SERVICE_REQUEST etc) in case it's come up elsewhere before

Thanks!

Was this page helpful?
0 / 5 - 0 ratings