Reputation: 567
SSH with 2FA in Python Using Paramiko
I'm trying to write a Python 3 script that will connect to a remote server via ssh and run a command, using the paramiko module.
The remote server uses Duo 2 factor authentication and prompts you to select an authentication mode when connecting using ssh:
$ ssh [email protected]
Duo two-factor login for myuser
Enter a passcode or select one of the following options:
1. Duo Push to +XXX XX-XXX-1111
2. Phone call to +XXX XX-XXX-1111
3. SMS passcodes to +XXX XX-XXX-1111
Passcode or option (1-3): 1
Success. Logging you in...
When I use ssh in the terminal, I just press 1 and then Enter, get the push to my phone where I aprove the connection, and then I'm logged in.
I have not been able to do that in Python unfortunately. Here's the code I tried using:
import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('remoteserver.com', port=22, username='myuser', password='mypassword')
stdin, stdout, stderr = ssh.exec_command('ls -l')
output = stdout.readlines()
print(output)
If I try the same code on a remote server without 2FA, it works as expected but with this server, I get an authenticatino error:
paramiko.ssh_exception.AuthenticationException: Authentication failed.
Any help would be greatly appreciated.
Upvotes: 3
Views: 5339
Answers (1)
Reputation: 879
Having just finally solved this problem myself in one of my projects going to leave the code I used which allowed for this work.
The main takeaway is that paramiko does allow for this to be done in the transport and prompts list and in my case i was missing the publickey method in my two_factor_types
def _auth(self, username, password, pkey, *args):
self.password = password
saved_exception = None
two_factor = False
allowed_types = set()
two_factor_types = {'keyboard-interactive', 'password', 'publickey'}
References:
Paramiko/Python: Keyboard interactive authentication
https://github.com/paramiko/paramiko/pull/467
https://github.com/paramiko/paramiko/pull/467/commits/dae916f7bd6723cee95891778baff51ef45532ee
http://docs.paramiko.org/en/stable/api/transport.html
I would recommend trying something along the lines of auth_interactive_dumb
auth_interactive_dumb(username, handler=None, submethods='')
Authenticate to the server interactively but dumber. Just print the prompt and / or instructions to stdout and send back the response. This is good for situations where partial auth is achieved by key and then the user has to enter a 2fac token.
For more full example see excerpt and link below
Full SSH CLient Class for reference:
class SSHClient(paramiko.SSHClient):
duo_auth = False
def handler(self, title, instructions, prompt_list):
answers = []
global duo_auth
if title.startswith('Duo two-factor login'):
duo_auth = True
raise SSHException("Expecting one field only.")
for prompt_, _ in prompt_list:
prompt = prompt_.strip().lower()
if prompt.startswith('password'):
answers.append(self.password)
elif prompt.startswith('verification'):
answers.append(self.totp)
elif prompt.startswith('passcode'):
answers.append(self.totp)
else:
raise ValueError('Unknown prompt: {}'.format(prompt_))
return answers
def auth_interactive(self, username, handler):
if not self.totp:
raise ValueError('Need a verification code for 2fa.')
self._transport.auth_interactive(username, handler)
def _auth(self, username, password, pkey, *args):
self.password = password
saved_exception = None
two_factor = False
allowed_types = set()
two_factor_types = {'keyboard-interactive', 'password', 'publickey'}
agent = paramiko.Agent()
try:
agent_keys = agent.get_keys()
# if len(agent_keys) == 0:
# return
except:
pass
for key in agent_keys:
logging.info("Trying ssh-agent key %s" % hexlify(key.get_fingerprint()))
try:
self._transport.auth_publickey(username, key)
logging.info("... success!")
return
except paramiko.SSHException as e:
logging.info("... nope.")
saved_exception = e
if pkey is not None:
logging.info('Trying publickey authentication')
try:
allowed_types = set(
self._transport.auth_publickey(username, pkey)
)
two_factor = allowed_types & two_factor_types
if not two_factor:
return
except paramiko.SSHException as e:
saved_exception = e
if duo_auth or two_factor:
logging.info('Trying 2fa interactive auth')
return self.auth_interactive(username, self.handler)
if password is not None:
logging.info('Trying password authentication')
try:
self._transport.auth_password(username, password)
return
except paramiko.SSHException as e:
saved_exception = e
allowed_types = set(getattr(e, 'allowed_types', []))
two_factor = allowed_types & two_factor_types
assert saved_exception is not None
raise saved_exception
Upvotes: 5
Related Questions
- Multi-factor authentication (password and key) with Paramiko
- Paramiko AuthenticationException issue
- How can I ssh into a server that requires two password authentication using Python's Paramiko module?
- python paramiko ssh
- Python Paramiko (Client) Multifactor Authentication
- SSH - Python with paramiko issue
- Passwordless SSH using paramiko
- I can manully ssh2 to remote host, but paramiko can not, why?
- Paramiko SSH python
- paramiko and python ssh