Paramiko AuthenticationException问题

时间:2010-11-09 15:18:35

标签: python ssh paramiko

我在使用Paramiko(版本1.7.6-2)ssh客户端连接设备时遇到问题:

$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko
>>> ssh = paramiko.SSHClient()
>>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
>>> ssh.connect("123.0.0.1", username="root", password=None)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 327, in connect
    self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
  File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 481, in _auth
    raise saved_exception
paramiko.AuthenticationException: Authentication failed.
>>> 

当我从命令行使用ssh时,它可以正常工作:

ssh root@123.0.0.1


BusyBox v1.12.1 (2010-11-03 13:18:46 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# 

之前有人见过这个吗?

修改1

以下是ssh命令的详细输出:

:~$ ssh -v root@123.0.0.1
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 123.0.0.1 [123.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/waffleman/.ssh/identity type -1
debug1: identity file /home/waffleman/.ssh/id_rsa type -1
debug1: identity file /home/waffleman/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '123.0.0.1' is known and matches the RSA host key.
debug1: Found key in /home/waffleman/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentication succeeded (none).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8

编辑2 这是带有调试输出的python输出:

Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko, os
>>> paramiko.common.logging.basicConfig(level=paramiko.common.DEBUG)
>>> ssh = paramiko.SSHClient()
>>> ssh.load_system_host_keys()
>>> ssh.load_host_keys(os.path.expanduser('~/.ssh/known_hosts'))
>>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
>>> ssh.connect("123.0.0.1", username='root', password=None)
DEBUG:paramiko.transport:starting thread (client mode): 0x928756cL
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_5.1)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', 'rijndael-cbc@lysator.liu.se', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] server encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', 'rijndael-cbc@lysator.liu.se', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] client mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Trying discovered key b945197b1de1207d9aa0663f01888c3c in /home/waffleman/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 327, in connect
    self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
  File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 481, in _auth
    raise saved_exception
paramiko.AuthenticationException: Authentication failed.
>>> 

7 个答案:

答案 0 :(得分:7)

远程设备上的ssh服务器拒绝了您的身份验证。确保您使用的是正确的密钥,并且该设备没有任何其他访问限制。如果没有来自服务器的日志,很难说是怎么回事。

[编辑]我回顾了您的输出,您正在使用None身份验证进行身份验证。这通常是不允许的,用于确定服务器允许的auth方法。您的服务器可能正在使用基于主机的身份验证(或者根本没有!)。

由于auth_none()很少使用,因此无法从SSHClient类访问,因此您需要直接使用Transport

transport.auth_none('root') 

答案 1 :(得分:4)

作为对这件事情的后期跟进非常晚,我认为我在一个有限的网络背景下遇到了与华夫饼人相同的问题。

关于在auth_none对象上使用Transport的提示非常有用,但我发现自己对如何实现它感到有些困惑。至少从今天开始,我无法获得Transport对象的SSHClient对象,直到它连接为止;但它首先不会连接......

所以如果这对其他人有用,我的工作就在下面。我只是覆盖了_auth方法。

好吧,这很脆弱,因为_auth是私事。我的其他选择 - 实际上仍然是 - 手动创建TransportChannel对象,但暂时我感觉自己好多了,所有这些仍然在引擎盖下。

from paramiko import SSHClient, BadAuthenticationType

class SSHClient_try_noauth(SSHClient):

    def _auth(self, username, *args):
        try:
            self._transport.auth_none(username)
        except BadAuthenticationType:
            super()._auth(username, *args)

答案 2 :(得分:2)

确保公钥和私钥文件(以及可能包含的文件夹)的权限设置为非常严格(即chmod 600 id_rsa)。事实证明,这需要(通过操作系统?)将文件用作ssh密钥。从我乐于助人的同事发现这个:) 还要确保您使用的是给定ssh密钥的正确用户名。

答案 3 :(得分:0)

paramiko's SSHClient具有load_system_host_keys方法,您可以使用该方法加载用户特定的密钥集。作为docs explain中的示例,它需要在连接到服务器之前运行。

答案 4 :(得分:0)

当服务器使用AD身份验证时,我收到类似的错误。我认为这是paramiko的一个错误。我知道在使用paramiko之前我必须设置ssh密钥。

答案 5 :(得分:0)

服务器端(您要连接的sshd)可能有不同的原因,因此可能很难在客户端进行调试。

例如tail -f /var/log/secure

  

10月9日15:50:26 pc1udatahgw04 sshd [27501]:身份验证被拒绝:错误   目录/ home / testuser的所有权或模式

如果您运行ls -lad /home/testuser以查看权限,则在本例中将看到例如:

$ ls -lad /home/testuser
drwxrwxr-x 16 testuser  testgroup 57344 Oct  9 15:23 /home/testuser

通知第二w位。打开主目录以进行组写入。 sshd在这种情况下拒绝基于密钥的身份验证。

再次,检查服务器端的sshd登录。可能还有其他已经提到的问题

  • /home/user/.ssh目录太开放
  • /home/user/.ssh/id_rsa文件过于打开
  • /home/user/.ssh/id_rsa.pub文件过于打开
  • /home/user/.ssh/id_ecdsa文件太打开
  • /home/user/.ssh/id_ecdsa.pub文件过于打开

等。

答案 6 :(得分:-4)

我试过删除〜。/ ssh文件夹,然后它运行良好