Paramiko / pysftp连接失败,显示“协商失败/无效的DH值”,但是GUI和sftp连接

时间:2019-09-19 15:19:50

标签: python ssh sftp paramiko pysftp

我正在尝试使用Python(特别是pysftp)连接到远程SFTP服务器。在Windows上使用FileZilla或WinSCP,在Linux(特别是AWS Linux)上,使用sftp可以毫无问题地进行连接。连接失败,并显示错误

  

SSHException:协商失败。

我缺少某处的设置吗?

我最初以为问题出在主机密钥上,但是我通过传递主机密钥文件或将主机密钥设置为None(使用pysftp)得到相同的结果

这似乎是在连接的早期发生的,好像我使用随机的用户名或密码一样,得到的结果完全相同

import pysftp
import logging

logging.basicConfig(level=logging.DEBUG)

cnopts = pysftp.CnOpts()
cnopts.hostkeys.load( 'C:\Temp\known_hosts')
cnopts.log = 'C:\Temp\\ftplog.txt'
cnopts.hostkeys = None

with pysftp.Connection(port = 2222, 
                       host = 'ftp.apxgroup.com', 
                       username = 'my.username', 
                       password = 'thepassword', 
                       cnopts = cnopts) as srv:

    data = srv.listdir()

for i in data:
    print(i)

调试信息如下:

DEBUG:paramiko.transport:starting thread (client mode): 0x4b1deef0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.6.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-srtSSHServer_11.00
INFO:paramiko.transport:Connected (version 2.0, client srtSSHServer_11.00)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha256', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha512@ssh.com', 'diffie-hellman-group15-sha256', 'diffie-hellman-group15-sha512', 'diffie-hellman-group16-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group17-sha512', 'diffie-hellman-group18-sha512'] server key:['ssh-rsa'] client encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-ctr', '3des-cbc', 'cast128-cbc'] server encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-ctr', '3des-cbc', 'cast128-cbc'] client mac:['hmac-sha1', 'hmac-sha2-224', 'hmac-sha2-256', 'hmac-sha2-384', 'hmac-sha2-512', 'hmac-md5'] server mac:['hmac-sha1', 'hmac-sha2-224', 'hmac-sha2-256', 'hmac-sha2-384', 'hmac-sha2-512', 'hmac-md5'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group16-sha512
DEBUG:paramiko.transport:HostKey agreed: ssh-rsa
DEBUG:paramiko.transport:Cipher agreed: aes128-cbc
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
INFO:paramiko.transport:Disconnect (code 3): invalid DH value
Traceback (most recent call last):

  File "<ipython-input-25-99a886da3f3d>", line 1, in <module>
    runfile('O:/Moorlands/Software/Python/untitled0.py', wdir='O:/Moorlands/Software/Python')

  File "C:\Users\Mark\Anaconda3\lib\site-packages\spyder_kernels\customize\spydercustomize.py", line 827, in runfile
    execfile(filename, namespace)

  File "C:\Users\Mark\Anaconda3\lib\site-packages\spyder_kernels\customize\spydercustomize.py", line 110, in execfile
    exec(compile(f.read(), filename, 'exec'), namespace)

  File "O:/Moorlands/Software/Python/untitled0.py", line 22, in <module>
    cnopts = cnopts) as srv:

  File "C:\Users\Mark\Anaconda3\lib\site-packages\pysftp\__init__.py", line 143, in __init__
    self._transport.connect(**self._tconnect)

  File "C:\Users\Mark\Anaconda3\lib\site-packages\paramiko\transport.py", line 1291, in connect
    self.start_client()

  File "C:\Users\Mark\Anaconda3\lib\site-packages\paramiko\transport.py", line 661, in start_client
    raise SSHException("Negotiation failed.")

SSHException: Negotiation failed.

如果我(成功)通过sftp连接并启用了日志记录,则会收到以下日志:

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to ftp.apxgroup.com [185.115.188.136] port 2222.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version srtSSHServer_11.00
debug1: no match: srtSSHServer_11.00
debug1: Authenticating to ftp.apxgroup.com:2222 as 'my.username'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:kJuxrXQ83BRlECmULsScHmC4qKUwaFig0ZrzV929qLM
debug1: checking without port identifier
debug1: Host 'ftp.apxgroup.com' is known and matches the RSA host key.
debug1: Found key in /home/ec2-user/.ssh/known_hosts:2
RSA host key for IP address '185.115.188.136' not in list of known hosts.
debug1: found matching key w/out port
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ec2-user/.ssh/id_rsa
debug1: Trying private key: /home/ec2-user/.ssh/id_dsa
debug1: Trying private key: /home/ec2-user/.ssh/id_ecdsa
debug1: Trying private key: /home/ec2-user/.ssh/id_ed25519
debug1: Next authentication method: password
my.username@ftp.apxgroup.com's password:
debug1: Authentication succeeded (password).
Authenticated to ftp.apxgroup.com ([185.115.188.136]:2222).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending subsystem: sftp
Connected to ftp.apxgroup.com.

3 个答案:

答案 0 :(得分:1)

如Martin Prikryl所建议,将paramiko.Transport._preferred_kex更改为默认值

paramiko.Transport._preferred_kex = ('curve25519-sha256@libssh.org',
                                     'ecdh-sha2-nistp256',
                                     'ecdh-sha2-nistp384',
                                     'ecdh-sha2-nistp521',
                                     'diffie-hellman-group16-sha512',
                                     'diffie-hellman-group-exchange-sha256',
                                     'diffie-hellman-group14-sha256',
                                     'diffie-hellman-group-exchange-sha1',
                                     'diffie-hellman-group14-sha1',
                                     'diffie-hellman-group1-sha1')

收件人

paramiko.Transport._preferred_kex = ('diffie-hellman-group-exchange-sha256',
                                     'diffie-hellman-group14-sha256',
                                     'diffie-hellman-group-exchange-sha1',
                                     'diffie-hellman-group14-sha1',
                                     'diffie-hellman-group1-sha1')

解决了这个问题。

答案 1 :(得分:1)

如果SSH-2.0-paramiko_2.6.0客户端连接到SSH-2.0-srtSSHServer_11.00服务器并且同意的kex为diffie-hellman-group16-sha512,则似乎会出现问题。

我使用的解决方法是从paramiko的kex算法列表中删除diffie-hellman-group16-sha512。

var compressedImage = await FlutterNativeImage.compressImage(image.path, quality: 50);

https://github.com/btastic/flutter_native_image中建议了解决方法。

答案 2 :(得分:0)

我在配置气流作业(puckel / 1.10.9)时遇到了类似的烦人问题,并且SSHHook中的paramiko通过以下跟踪断开了我的连接:

DEBUG:paramiko.transport:starting thread (client mode): 0x5048ecd0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.7.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-srtSSHServer_11.00
INFO:paramiko.transport:Connected (version 2.0, client srtSSHServer_11.00)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha256', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha512@ssh.com', 'diffie-hellman-group16-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512'] server key:['ssh-rsa'] client encrypt:['3des-cbc', 'aes128-cbc', 'aes256-cbc', 'blowfish-cbc', 'cast128-cbc'] server encrypt:['3des-cbc', 'aes128-cbc', 'aes256-cbc', 'blowfish-cbc', 'cast128-cbc'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group16-sha512
DEBUG:paramiko.transport:HostKey agreed: ssh-rsa
DEBUG:paramiko.transport:Cipher agreed: aes128-cbc
DEBUG:paramiko.transport:MAC agreed: hmac-sha1
DEBUG:paramiko.transport:Compression agreed: none
INFO:paramiko.transport:Disconnect (code 3): invalid DH value

不知道DH到底意味着什么,我只是创建了另一个类,并且在定义中我已经关闭了该算法-瞧!有效!我应该自己阅读些什么来理解这些问题?

相关问题
最新问题