3

I intend to create a use passwordless connection using SSH Keys between a client and a server.

Using paramiko, I end up in a AuthenticationException. Using standard SSH via Popen, I can connect without problems

For Paramiko I use the following code:

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.load_system_host_keys()
client.connect(ssh_server, username=ssh_user)

For the same situation, I am able to use SSH:

cmd = 'ssh -o GSSAPIAuthentication=no -o ForwardX11=no {}@{} echo 0 > /dev/null'.format(ssh_user, ssh_server)
process = subprocess.Popen(md, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
process.communicate()

I am using Python 3.4.6 and Paramiko 2.4.1.

Some more details:

  • I am able to establish a connection with Paramiko on a different client
  • On this specific client, the user for ssh impersonation is not the same as the user who starts the call.

Paramiko Debug Output

2018-07-11 20:55:54,025 20730 DEBUG: putting paramiko output to console
2018-07-11 20:55:54,112 20730 DEBUG: starting thread (client mode): 0x4ca07320
2018-07-11 20:55:54,112 20730 DEBUG: Local version/idstring: SSH-2.0-paramiko_2.4.1
2018-07-11 20:55:54,112 20730 DEBUG: Remote version/idstring: SSH-2.0-OpenSSH_7.2
2018-07-11 20:55:54,112 20730 INFO: Connected (version 2.0, client OpenSSH_7.2)
2018-07-11 20:55:54,115 20730 DEBUG: kex algos:['[email protected]', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'] server encrypt:['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'] client mac:['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', '[email protected]'] server compress:['none', '[email protected]'] client lang:[''] server lang:[''] kex follows?False
2018-07-11 20:55:54,115 20730 DEBUG: Kex agreed: ecdh-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: HostKey agreed: ecdsa-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: Cipher agreed: aes128-ctr
2018-07-11 20:55:54,115 20730 DEBUG: MAC agreed: hmac-sha2-256
2018-07-11 20:55:54,116 20730 DEBUG: Compression agreed: none
2018-07-11 20:55:54,123 20730 DEBUG: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
2018-07-11 20:55:54,124 20730 DEBUG: Switch to new keys ...
Exception: No authentication methods available

SSH DEBUG: (using ssh -v ssh_user AT ssh_server)

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/pid1083/.ssh/config
debug1: /home/pid1083/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <ssh_server> port 22.
debug1: Connection established.
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c type 1
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 21:1b:bb:32:4c:69:f3:eb:91:79:e7:ca:d4:30:ff:70
debug1: Host '<ssh_server>' is known and matches the ECDSA host key.
debug1: Found key in /home/<logged_in_username>/.ssh/known_hosts:519
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<logged_in_user>/.ssh/id_rsa_c2c
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <IP_of_server>:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.utf8
debug1: Sending env LC_ADDRESS = en_US.utf8
debug1: Sending env LC_MONETARY = en_US.utf8
debug1: Sending env LC_NUMERIC = en_US.utf8
debug1: Sending env LC_ALL = en_US.utf8
debug1: Sending env LC_TELEPHONE = en_US.utf8
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LC_IDENTIFICATION = en_US.utf8
debug1: Sending env LC_COLLATE = en_US.utf8
debug1: Sending env LANG = en_US.utf8
debug1: Sending env LC_MEASUREMENT = en_US.utf8
debug1: Sending env LC_CTYPE = en_US.utf8
debug1: Sending env LC_TIME = en_DK.utf8
debug1: Sending env LC_NAME = en_US.utf8
Improve this question

1 Answer 1

Reset to default
6

Your ssh connection works, because it uses a private key from ~/.ssh/id_rsa_c2c (as configured in ssh_config). The .ssh folder and ssh_config file serve as a configuration for OpenSSH toolset (ssh in this case). You cannot expect that other SSH clients/libraries will use OpenSSH configuration files. They won't, in general.

If you want to use public key authentication with Paramiko, use key_filename argument of SSHClient.connect.
See also How to ssh connect through Python Paramiko with ppk public key.

Though Paramiko, in particular, would use a key file, if it had a common name like id_rsa, id_dsa, etc. See Force password authentication (ignore keys in .ssh folder) in Paramiko in Python for exactly opposite problem.

Obligatory warning: Do not use AutoAddPolicy, unless you do not care about security. You are losing a protection against MITM attacks this way.
For a correct solution, see Paramiko "Unknown Server".

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you, your reasoning is clear and makes sense. I will try it out and if it works, mark it as resolved.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.