如何使用paramiko进行ssh连接以进行gssapi-with-mic认证

时间:2017-02-10 05:27:58

标签: python ssh kerberos paramiko gssapi

经过多年的发现,每一个问题都已经问过,我终于有时间问自己了。我担心这个问题比较具体,但我会尽量详细说明。

我正在尝试使用paramiko通过python3脚本连接到远程服务器。通常情况下这很好。

import paramiko as pm

pm.util.log_to_file('debug.log')
client = pm.client.SSHClient()
client.load_system_host_keys()
#works
client.connect('servername', username='username')

stdin,stdout,stderr=client.exec_command("touch testing")

但是,我试图将其应用于使用Kerberos身份验证的服务器。由于文档对我来说相当神秘,我不知道在哪里看。

对于正常的ssh -v登录,我得到了:

debug1: Reading configuration data /home/***/.ssh/config
debug1: /home/***/.ssh/config line 40: Applying options for excalibur
debug1: Connecting to excalibur.arl.hpc.mil [140.31.71.19] port 22.
debug1: Connection established.
debug1: identity file /home/***/.ssh/id_rsa type 1
debug1: identity file /home/***/.ssh/id_rsa-cert type -1
debug1: identity file /home/***/.ssh/id_dsa type -1
debug1: identity file /home/***/.ssh/id_dsa-cert type -1
debug1: identity file /home/***/.ssh/id_ecdsa type -1
debug1: identity file /home/***/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1a
debug1: match: OpenSSH_7.3p1a pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1a
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 63:86:77:97:9b:48:ea:99:c5:60:d8:1f:c2:f5:8e:38
debug1: Host 'SERVERNAME' is known and matches the ECDSA host key.
debug1: Found key in /home/***/.ssh/known_hosts:13
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to excalibur.arl.hpc.mil ([140.31.71.19]:22).
debug1: Final hpn_buffer_size = 131072
debug1: HPN Disabled: 0, HPN Buffer Size: 131072
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling

对我来说,这意味着gssapi-with-mic用于身份验证。因此,我将测试脚本更改为:

import paramiko as pm
import gssapi

pm.util.log_to_file('debug.log')
client = pm.client.SSHClient()
client.load_system_host_keys()

#client.set_missing_host_key_policy(pm.AutoAddPolicy())
client.connect('server', username='username',gss_auth=True,gss_kex=True)
stdin,stdout,stderr=client.exec_command("touch testing")

然而,这会引发错误:

client.connect('HOSTNAME', username='USERNAME',gss_auth=True,gss_kex=True)
File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/client.py", line 380, in connect
File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/client.py", line 621, in _auth
File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/client.py", line 598, in _auth
File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/transport.py", line 1327, in auth_publickey
paramiko.ssh_exception.SSHException: No existing session

我认为最后一行只是告诉touch评论不成功,其余部分只是在没有提供有用提示的情况下表明出现了问题。

查看debug.log显示:

DEB [20170210-00:00:23.772] thr=1   paramiko.transport: starting thread (client mode): 0x73b15a58
DEB [20170210-00:00:23.772] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.1.1
DEB [20170210-00:00:23.772] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.3p1a
INF [20170210-00:00:23.772] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_7.3p1a)
DEB [20170210-00:00:23.782] thr=1   paramiko.transport: kex algos:['curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'gss-group1-sha256-', 'gss-group14-sha256-', 'gss-gex-sha256-', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr'] server encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr'] client mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEB [20170210-00:00:23.782] thr=1   paramiko.transport: Kex agreed: diffie-hellman-group14-sha1
DEB [20170210-00:00:23.782] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20170210-00:00:23.782] thr=1   paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20170210-00:00:23.782] thr=1   paramiko.transport: Compression agreed: none
DEB [20170210-00:00:23.836] thr=1   paramiko.transport: kex engine KexGroup14 specified hash_algo <built-in function openssl_sha1>
DEB [20170210-00:00:23.837] thr=1   paramiko.transport: Switch to new keys ...
DEB [20170210-00:00:23.893] thr=1   paramiko.transport: userauth is OK
ERR [20170210-00:00:24.007] thr=1   paramiko.transport: Unknown exception: (851968) Unspecified GSS failure.  Minor code may provide more information. Minor code: (2529639053) No Kerberos credentials available. Target: HOSTNAME
ERR [20170210-00:00:24.020] thr=1   paramiko.transport: Traceback (most recent call last):
ERR [20170210-00:00:24.020] thr=1   paramiko.transport:   File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/ssh_gss.py", line 285, in ssh_init_sec_context
ERR [20170210-00:00:24.020] thr=1   paramiko.transport:     token = self._gss_ctxt.step(token)
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:   File "/home/USERNAME/lib/python3.5/site-packages/python_gssapi-0.6.2-py3.5-linux-x86_64.egg/gssapi/ctx.py", line 757, in step
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:     raise _exception_for_status(retval, minor_status[0], None, out_token)
ERR [20170210-00:00:24.021] thr=1   paramiko.transport: gssapi.error.Failure: (851968) Unspecified GSS failure.  Minor code may provide more information. Minor code: (2529639053) No Kerberos credentials available.
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:
ERR [20170210-00:00:24.021] thr=1   paramiko.transport: During handling of the above exception, another exception occurred:
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:
ERR [20170210-00:00:24.021] thr=1   paramiko.transport: Traceback (most recent call last):
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:   File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/transport.py", line 1795, in run
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:     self.auth_handler._handler_table[ptype](self.auth_handler, m)
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:   File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/auth_handler.py", line 264, in _parse_service_accept
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:     self.username,))
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:   File "/home/USERNAME/lib/python3.5/site-packages/paramiko-2.1.1-py3.5.egg/paramiko/ssh_gss.py", line 290, in ssh_init_sec_context
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:     self._gss_host))
ERR [20170210-00:00:24.021] thr=1   paramiko.transport: gssapi.error.GSSException: (851968) Unspecified GSS failure.  Minor code may provide more information. Minor code: (2529639053) No Kerberos credentials available. Target: HOSTNAME
ERR [20170210-00:00:24.021] thr=1   paramiko.transport:
DEB [20170210-00:00:24.023] thr=2   paramiko.transport: Trying discovered key b'1e15eb352834796798e72c7a50eb137e' in /home/USERNAME/.ssh/id_rsa

现在的问题有两个:

1)我得到的'错误'对我来说很难开始。如果有经验丰富的人看到了领先优势,那么将非常感谢帮助。

2)我不确定我是否正确使用gssapi部分。例如,查看paramiko gss-api documentation显示有paramiko.ssh_gss._SSH_GSSAuth(auth_method, gss_deleg_creds),我可能需要指定auth_method=gssapi-with-mic,但我没有直观的方式(对我有用)如何使用此对象和我找不到任何在线示例。此外,设置gss_kex=False对我来说更有意义,但是使用此选项,登录尝试甚至更早停止。任何人都可以解决一些问题或者有一个如何正确使用它的最小工作示例吗?

提前致谢,

(我知道这个帖子Trouble connecting via paramiko + kerberos,但遗憾的是它仍未得到答复,并且在初始帖子中缺少详细信息。)

0 个答案:

没有答案
相关问题
最新问题