When I use SSHClient to connect to a remote host with password authentication, it fails when I have a local key-file (unrelated) on the client machine. A paramiko.ssh_exception.AuthenticationException is thrown, instead of continuing to ssh password authentication.
Workaround: Use option look_for_keys=False
This workaround is only possible if you control the SSHClient object yourself, not if you use a lib built on paramiko.
Environment
File /home/<user>/.ssh/id_rsa exists (but not relevant to remote host)
Code to reproduce:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("remotehost", username="myuser",password="mypassword")
Trace
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 273, in connect
self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 456, in _auth
raise saved_exception
File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 447, in _auth
self._transport.auth_password(username, password)
File "/usr/local/lib/python3.4/dist-packages/paramiko/transport.py", line 1057, in auth_password
return self.auth_handler.wait_for_response(my_event)
File "/usr/local/lib/python3.4/dist-packages/paramiko/auth_handler.py", line 165, in wait_for_response
raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.
Excerpt from "DEBUG-level log"
DEBUG:paramiko.transport:Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-dss; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Trying discovered key b'<removed>' in /home/<removed>/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
INFO:paramiko.transport:Disconnect (code 2): unexpected SSH_MSG_SERVICE_REQUEST
The last two lines are not logged and the exception is not thrown when connection is made with the work around:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("remotehost", username="myuser",password="mypassword", look_for_keys=False)
DEBUG:paramiko.transport:starting thread (client mode): 0x64d76048
INFO:paramiko.transport:Connected (version 2.0, client 1.37c)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-dss'] client encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-cbc', 'arcfour', 'cast128-cbc'] server encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-cbc', 'arcfour', 'cast128-cbc'] client mac:['hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib'] server compress:['none', 'zlib'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-dss; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!
Sounds related to #387.
I am using Fabric on Windows 2012 server within Git Bash.
$ fab --version
Fabric 1.13.1
Paramiko 2.1.1
Paramiko refuses to see or use any of my .pem files in ~/.ssh/* other than id_rsa
When turning on debugging, you can see that during the SSH conversation, it tries to connect only with ~/.ssh/id_rsa and ignores all other keys in ~/.ssh folder. It doesn't matter if I add the keys to the Git Bash session or not.
The only workaround I have found is to forcibly add id_rsa.pub to all the remote systems ~/.ssh/authorized_keys or to dynamically change the symlink ~/.ssh/id_rsa is pointing to during script execution.
Edit: Reading #387 it's clear this is probably the wrong place for this note.
I encountered this on Ubutnu 16, Python 2.7, paramiko 2.3.0.
Using 'allow_agent' and 'look_for_keys' fixed the issue for me, as per this StackOverflow post
In summary:
ssh.connect('localhost',username=name,password=pw,allow_agent=False,look_for_keys=False)
Like dharasty said:
ssh.connect('localhost',username=name,password=pw,allow_agent=False,look_for_keys=False)
It'll fail to find the public key but then use password auth and succeed. Annoying but it works.
The workaround will work if you are using paramiko directly. But if you are using a wraparound library like invoke or fabric, you can't override the default paramiko behavior of look_for_keys.
If someone has found a way to do that, please post it.
For Fabric-1.x, you can use the command-line options --no-keys and --no_agent, or you can set env.no_keys and env.no_agent
For Fabric-2.x, you can use config values connect_kwargs.allow_agent and connect_kwargs.look_for_keys in whatever is the normal way to set connect_kwargs for Fabric-2 ...
Most helpful comment
I encountered this on Ubutnu 16, Python 2.7, paramiko 2.3.0.
Using 'allow_agent' and 'look_for_keys' fixed the issue for me, as per this StackOverflow post
In summary:
ssh.connect('localhost',username=name,password=pw,allow_agent=False,look_for_keys=False)