与Paramiko的无密码SSH连接失败,与SSH相同

时间:2018-07-12 07:35:54

标签: python ssh paramiko

我打算在客户端和服务器之间使用SSH密钥创建使用无密码的连接。

使用paramiko,我最终遇到 AuthenticationException 。通过Popen使用标准SSH,我可以毫无问题地连接

对于Paramiko,我使用以下代码:

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.load_system_host_keys()
client.connect(ssh_server, username=ssh_user)

在相同情况下,我可以使用SSH:

cmd = 'ssh -o GSSAPIAuthentication=no -o ForwardX11=no {}@{} echo 0 > /dev/null'.format(ssh_user, ssh_server)
process = subprocess.Popen(md, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
process.communicate()

我正在使用Python 3.4.6和Paramiko 2.4.1。

更多详细信息:

  • 我能够在其他客户端上与Paramiko建立连接
  • 在此特定客户端上,用于ssh模拟的用户与发起呼叫的用户不同。

Paramiko调试输出 

2018-07-11 20:55:54,025 20730 DEBUG: putting paramiko output to console
2018-07-11 20:55:54,112 20730 DEBUG: starting thread (client mode): 0x4ca07320
2018-07-11 20:55:54,112 20730 DEBUG: Local version/idstring: SSH-2.0-paramiko_2.4.1
2018-07-11 20:55:54,112 20730 DEBUG: Remote version/idstring: SSH-2.0-OpenSSH_7.2
2018-07-11 20:55:54,112 20730 INFO: Connected (version 2.0, client OpenSSH_7.2)
2018-07-11 20:55:54,115 20730 DEBUG: kex algos:['curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'] server encrypt:['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'] client mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
2018-07-11 20:55:54,115 20730 DEBUG: Kex agreed: ecdh-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: HostKey agreed: ecdsa-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: Cipher agreed: aes128-ctr
2018-07-11 20:55:54,115 20730 DEBUG: MAC agreed: hmac-sha2-256
2018-07-11 20:55:54,116 20730 DEBUG: Compression agreed: none
2018-07-11 20:55:54,123 20730 DEBUG: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
2018-07-11 20:55:54,124 20730 DEBUG: Switch to new keys ...
Exception: No authentication methods available

SSH调试:(使用ssh -v ssh_user AT ssh_server) 

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/pid1083/.ssh/config
debug1: /home/pid1083/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <ssh_server> port 22.
debug1: Connection established.
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c type 1
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 21:1b:bb:32:4c:69:f3:eb:91:79:e7:ca:d4:30:ff:70
debug1: Host '<ssh_server>' is known and matches the ECDSA host key.
debug1: Found key in /home/<logged_in_username>/.ssh/known_hosts:519
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<logged_in_user>/.ssh/id_rsa_c2c
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <IP_of_server>:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.utf8
debug1: Sending env LC_ADDRESS = en_US.utf8
debug1: Sending env LC_MONETARY = en_US.utf8
debug1: Sending env LC_NUMERIC = en_US.utf8
debug1: Sending env LC_ALL = en_US.utf8
debug1: Sending env LC_TELEPHONE = en_US.utf8
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LC_IDENTIFICATION = en_US.utf8
debug1: Sending env LC_COLLATE = en_US.utf8
debug1: Sending env LANG = en_US.utf8
debug1: Sending env LC_MEASUREMENT = en_US.utf8
debug1: Sending env LC_CTYPE = en_US.utf8
debug1: Sending env LC_TIME = en_DK.utf8
debug1: Sending env LC_NAME = en_US.utf8

1 个答案:

答案 0 :(得分:3)

您的ssh连接有效,因为它使用了~/.ssh/id_rsa_c2c中的私钥(在ssh_config中进行了配置)。 .ssh文件夹和ssh_config文件用作OpenSSH工具集的配置(在这种情况下为ssh)。您不能期望其他SSH客户端/库将使用OpenSSH配置文件。他们一般不会。

如果要对Paramiko使用公钥身份验证,请使用SSHClient.connectkey_filename参数。
另请参见How to ssh connect through python Paramiko with ppk public key

如果Paramiko具有通用名称,例如id_rsaid_dsa等,则Paramiko尤其会使用密钥文件。有关完全相反的问题,请参见Force password authentication (ignore keys in .ssh folder) in Paramiko in Python

强制性警告:除非您不关心安全性,否则请不要使用AutoAddPolicy。您正在通过这种方式失去针对MITM攻击的保护。
有关正确的解决方案,请参见Paramiko "Unknown Server"

相关问题
最新问题