Verify host key with pysftp

前端 未结 9 883
北海茫月
北海茫月 2020-11-22 08:33

I am writing a program using pysftp, and it wants to verify the SSH host Key against C:\\Users\\JohnCalvin\\.ssh\\known_hosts.

Using PuTTY, the terminal

相关标签:
9条回答
  • 2020-11-22 08:33

    FWIR, if authentication is only username & pw, add remote server ip address to known_hosts like ssh-keyscan -H 192.168.1.162 >> ~/.ssh/known_hosts for ref https://www.techrepublic.com/article/how-to-easily-add-an-ssh-fingerprint-to-your-knownhosts-file-in-linux/

    0 讨论(0)
  • 2020-11-22 08:36

    Connect to the server first with a Windows ssh client that uses the known_hosts file. PuTTy stores the data in the windows registry,however OpenSSH uses the known_hosts file, and will add entries in there after you connect. Default location for the file is %USERPROFILE%.ssh. I hope this helps

    0 讨论(0)
  • 2020-11-22 08:38

    Hi We sort of had the same problem if I understand you well. So check what pysftp version you're using. If it's the latest one which is 0.2.9 downgrade to 0.2.8. Check this out. https://github.com/Yenthe666/auto_backup/issues/47

    0 讨论(0)
  • 2020-11-22 08:41

    One option is to disable the host key requirement:

    import pysftp
    cnopts = pysftp.CnOpts()
    cnopts.hostkeys = None   
    with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:
        sftp.put(local_path, remote_path)
    

    You can find more info about that here: https://stackoverflow.com/a/38355117/1060738

    Important note:

    By setting cnopts.hostkeys=None you'll lose the protection against Man-in-the-middle attacks by doing so. Use @martin-prikryl answer to avoid that.

    0 讨论(0)
  • 2020-11-22 08:48

    Do not set cnopts.hostkeys = None (as the second most upvoted answer shows), unless you do not care about security. You lose a protection against Man-in-the-middle attacks by doing so.


    Use CnOpts.hostkeys (returns HostKeys) to manage trusted host keys.

    cnopts = pysftp.CnOpts(knownhosts='known_hosts')
    
    with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:
    

    where the known_hosts contains a server public key[s] in a format like:

    example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...
    

    If you do not want to use an external file, you can also use

    from base64 import decodebytes
    # ...
    
    keydata = b"""AAAAB3NzaC1yc2EAAAADAQAB..."""
    key = paramiko.RSAKey(data=decodebytes(keydata))
    cnopts = pysftp.CnOpts()
    cnopts.hostkeys.add('example.com', 'ssh-rsa', key)
    
    with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:
    

    Though as of pysftp 0.2.9, this approach will issue a warning, what seems like a bug:
    "Failed to load HostKeys" warning while connecting to SFTP server with pysftp


    An easy way to retrieve the host key in this format is using OpenSSH ssh-keyscan:

    $ ssh-keyscan example.com
    # example.com SSH-2.0-OpenSSH_5.3
    example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...
    

    (due to a bug in pysftp, this does not work, if the server uses non-standard port – the entry starts with [example.com]:port + beware of redirecting ssh-keyscan to a file in PowerShell)

    You can also make the application do the same automatically:
    Use Paramiko AutoAddPolicy with pysftp
    (It will automatically add host keys of new hosts to known_hosts, but for known host keys, it will not accept a changed key)


    Though for an absolute security, you should not retrieve the host key remotely, as you cannot be sure, if you are not being attacked already.

    See my article Where do I get SSH host key fingerprint to authorize the server?
    It's for my WinSCP SFTP client, but most information there is valid in general.


    If you need to verify the host key using its fingerprint only, see Python - pysftp / paramiko - Verify host key using its fingerprint.

    0 讨论(0)
  • 2020-11-22 08:54

    If You try to connect by pysftp to "normal" FTP You have to set hostkey to None.

    import pysftp
    
    cnopts = pysftp.CnOpts()
    cnopts.hostkeys = None 
    with pysftp.Connection(host='****',username='****',password='***',port=22,cnopts=cnopts) as sftp:
        print('DO SOMETHING')
    
    0 讨论(0)
提交回复
热议问题