Paramiko AuthenticationException issue

问题:

I am having a problem connecting to a device with a Paramiko (version 1.7.6-2) ssh client:

$ python Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)  [GCC 4.4.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import paramiko >>> ssh = paramiko.SSHClient() >>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) >>> ssh.connect("123.0.0.1", username="root", password=None) Traceback (most recent call last):   File "", line 1, in    File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 327, in connect     self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)   File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 481, in _auth     raise saved_exception paramiko.AuthenticationException: Authentication failed. >>>  

When I use ssh from the command line, it works fine:

ssh root@123.0.0.1   BusyBox v1.12.1 (2010-11-03 13:18:46 EDT) built-in shell (ash) Enter 'help' for a list of built-in commands.  #  

Anyone seen this before?

Edit 1

Here is the verbose output of the ssh command:

:~$ ssh -v root@123.0.0.1 OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 123.0.0.1 [123.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/waffleman/.ssh/identity type -1 debug1: identity file /home/waffleman/.ssh/id_rsa type -1 debug1: identity file /home/waffleman/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024

Edit 2 Here is the python output with debug output:

Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)  [GCC 4.4.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import paramiko, os >>> paramiko.common.logging.basicConfig(level=paramiko.common.DEBUG) >>> ssh = paramiko.SSHClient() >>> ssh.load_system_host_keys() >>> ssh.load_host_keys(os.path.expanduser('~/.ssh/known_hosts')) >>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) >>> ssh.connect("123.0.0.1", username='root', password=None) DEBUG:paramiko.transport:starting thread (client mode): 0x928756cL INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_5.1) DEBUG:paramiko.transport:kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', 'rijndael-cbc@lysator.liu.se', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] server encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', 'rijndael-cbc@lysator.liu.se', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] client mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False DEBUG:paramiko.transport:Ciphers agreed: local=aes128-ctr, remote=aes128-ctr DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none DEBUG:paramiko.transport:Switch to new keys ... DEBUG:paramiko.transport:Trying discovered key b945197b1de1207d9aa0663f01888c3c in /home/waffleman/.ssh/id_rsa DEBUG:paramiko.transport:userauth is OK INFO:paramiko.transport:Authentication (publickey) failed. Traceback (most recent call last):   File "", line 1, in    File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 327, in connect     self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)   File "/usr/lib/pymodules/python2.6/paramiko/client.py", line 481, in _auth     raise saved_exception paramiko.AuthenticationException: Authentication failed. >>>  

回答1:

The ssh server on the remote device denied your authentication. Make sure you're using the correct key, and the device doesn't have any other access restrictions. It hard to say what's going on without logs from the server.

[EDIT] I just looked back through your output, you are authenticating using None authentication. This usually isn't ever permitted, and is used to determine what auth methods are allowed by the server. It's possible your server is using host based authentication (or none at all!).

Since auth_none() is rarely used, it's not accessible from the SSHClient class, so you will need to use Transport directly.

transport.auth_none('root')  

回答2:

As a very late follow-up on this matter, I believe I was running into the same issue as waffleman, in a context of a confined network.

The hint about using auth_none on the Transport object turned out quite helpful, but I found myself a little puzzled as to how to implement that. Thing is, as of today at least, I can't get the Transport object of an SSHClient object until it has connected; but it won't connect in the first place...

So In case this is useful to others, my work around is below. I just override the _auth method.

OK, this is fragile, as _auth is a private thing. My other alternatives were - actually still are - to manually create the Transport and Channel objects, but for the time being I feel like I'm much better off with all this still under the hood.

from paramiko import SSHClient  class SSHClient_noauth(SSHClient):      def _auth(self, username, *args):         self._transport.auth_none(username)         return 

回答3:

Make sure that the permissions on the public and private key files (and possibly the containing folder) are set to very restrictive (i.e. chmod 600 id_rsa). It turns out this is required (by the Operating System?) to use the files as ssh keys. Found this out from my helpful colleague :) Also make sure that you are using the correct username for the given ssh key.

回答4:

paramiko's SSHClient has load_system_host_keys method which you could use to load user specific set of keys. As example in the docs explain, it needs to be run before connecting to a server.

回答5:

I get similar error, when the server uses AD authentication. I think this is a bug of paramiko. I have learned that I have to set ssh keys before use paramiko.

回答6:

I have tried remove the folder ~./ssh,then it's working well

文章来源: Paramiko AuthenticationException issue