fleetingbytes
Reputation: 2992
Paramiko authentication to server with no password fails
I am connecting to a host which runs dropbear and has a blank root password. I can connect to it via ssh (I have replaced the actual IPv6 address and host name here):
$ ssh root@[2001:db8:1234::567]
root@my_host:~# ps aux | grep dropbear
root 2481 0.0 0.1 2408 504 ? Ss 06:15 0:00 /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_host_key -B -p 22 -P /var/run/dropbear.pid
root 4492 1.2 0.2 2876 992 ? Ss 08:35 0:00 /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_host_key -B -p 22 -P /var/run/dropbear.pid
root 4637 0.0 0.1 2344 556 pts/0 S+ 08:35 0:00 grep dropbear
root@my_host:~# exit
Connection to 2001:db8:1234::567 closed.
When I try to do this with Paramiko, it throws an AuthenticationException. This is my minimal example script:
#!/usr/bin/env python
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(
"[2001:db8:1234::567]",
port=22,
username="root",
password="",
)
Output:
Traceback (most recent call last):
File "C:\Users\username\src\minimal\minimal.py", line 8, in <module>
client.connect(
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\client.py", line 435, in connect
self._auth(
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\client.py", line 766, in _auth
raise saved_exception
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\client.py", line 753, in _auth
self._transport.auth_password(username, password)
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\transport.py", line 1563, in auth_password
return self.auth_handler.wait_for_response(my_event)
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\auth_handler.py", line 258, in wait_for_response
raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.
Any ideas why the authentication with Paramiko fails?
Verbose ssh output:
$ ssh -vvv root@2001:db8:1234::567
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\username/.ssh/config
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 2001:db8:1234::567 is address
debug2: ssh_connect_direct
debug1: Connecting to 2001:db8:1234::567 [2001:db8:1234::567] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/username/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_rsa.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_rsa-cert.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_dsa.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_dsa-cert.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_ecdsa.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_ecdsa-cert.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_ed25519.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_ed25519-cert.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_xmss.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/username/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/username/.ssh/id_xmss-cert.pub error:2
debug1: identity file C:\\Users\\username/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version dropbear_2017.75
debug1: no match: dropbear_2017.75
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 2001:db8:1234::567 as 'root'
debug3: hostkeys_foreach: reading file "C:\\Users\\username/.ssh/known_hosts"
debug3: Failed to open file:C:/Users/username/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,[email protected]
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: compression ctos: [email protected],none
debug2: compression stoc: [email protected],none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:2oIgeSG/smq4GNl7z1jLMBEaMw4peSXOWGZlW9aZUaY
debug3: hostkeys_foreach: reading file "C:\\Users\\username/.ssh/known_hosts"
debug3: Failed to open file:C:/Users/username/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
The authenticity of host '2001:db8:1234::567 (2001:db8:1234::567)' can't be established.
RSA key fingerprint is SHA256:2oIgeSG/smq4GNl7z1jLMBEaMw4peSXOWGZlW9aZUaY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '2001:db8:1234::567' (RSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\username/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\username/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\username/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\username/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\username/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (none).
Authenticated to 2001:db8:1234::567 ([2001:db8:1234::567]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug3: This windows OS supports conpty
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug3: Successfully set console output code page from:65001 to 65001
debug3: Successfully set console input code page from:850 to 65001
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32759
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
root@my_host:~#
Paramiko (2.9.2) log
DEBUG:paramiko.transport:starting thread (client mode): 0xbfd81bb0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.9.2
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-dropbear_2017.75
INFO:paramiko.transport:Connected (version 2.0, client dropbear_2017.75)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: [email protected], ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1, [email protected]
DEBUG:paramiko.transport:server key: ssh-rsa
DEBUG:paramiko.transport:client encrypt: aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc, twofish256-cbc, twofish-cbc, twofish128-cbc, 3des-ctr, 3des-cbc
DEBUG:paramiko.transport:server encrypt: aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc, twofish256-cbc, twofish-cbc, twofish128-cbc, 3des-ctr, 3des-cbc
DEBUG:paramiko.transport:client mac: hmac-sha1-96, hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-md5
DEBUG:paramiko.transport:server mac: hmac-sha1-96, hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-md5
DEBUG:paramiko.transport:client compress: [email protected], none
DEBUG:paramiko.transport:server compress: [email protected], none
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: [email protected]
DEBUG:paramiko.transport:HostKey: ssh-rsa
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for [2001:db8:1234::567]: b'0366f1abed7f1a4625c3abd6185944bf'
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) failed.
Traceback (most recent call last):
File "C:\Users\username\src\minimal\minimal.py", line 12, in <module>
client.connect(
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\client.py", line 435, in connect
self._auth(
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\client.py", line 766, in _auth
raise saved_exception
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\client.py", line 753, in _auth
self._transport.auth_password(username, password)
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\transport.py", line 1563, in auth_password
return self.auth_handler.wait_for_response(my_event)
File "C:\Users\username\envs\envname\lib\site-packages\paramiko\auth_handler.py", line 258, in wait_for_response
raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.
DEBUG:paramiko.transport:EOF in transport thread
Upvotes: 1
Views: 10613
Answers (2)
fleetingbytes
Reputation: 2992
Martin's answer already states the cause. The dropbear server does not use any authentication at all. In order to implement the workaround with Transport.connect and still have a paramiko.SSHClient to interact with, we can do the following (thanks to ttimasdf)
#!/usr/bin/env python
import paramiko
host = "[2001:db8:1234::567]"
port=22
username="root"
password=None
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Workaround for no authentication:
# https://github.com/paramiko/paramiko/issues/890#issuecomment-906893725
try:
client.connect(host, port=port, username=username, password=password)
except paramiko.ssh_exception.AuthenticationException as e:
if not password:
client.get_transport().auth_none(username)
else:
raise e
# Now we can interact with the client as usual
stdin, stdout, stderr = client.exec_command("ls /")
lines = stdout.readlines()
print(lines)
Upvotes: 3
Martin Prikryl
Reputation: 202292
It does not look like you authenticate with a blank password. You actually do not authenticate at all to the server (technically, ssh uses "none" authentication method).
Paramiko SSHClient does not try that method automatically.
You have to explicitly code it by using a low-level Transport class with its Transport.auth_none instead of the high-level SSHClient:
transport = paramiko.Transport('example.com')
transport.connect()
transport.auth_none(username)
The above code implicitly bypasses host key verification (what your original code does explicitly by using AutoAddPolicy). That's a security flaw. Use hostkey argument of the Transport.connect to correct that.
Upvotes: 2
Related Questions
- Passwordless SSH connection with Paramiko fails where as with SSH works
- Paramiko AuthenticationException issue
- Basic SSH Connection using Paramiko fails
- How to connect to remote server with paramiko without a password?
- paramiko can't connect to ssh server
- can't login with Paramiko ssh client
- Passwordless SSH using paramiko
- Paramiko ssh connection without password
- paramiko Authentication rejected with error 877
- Paramiko Authentication verification (turns out to be Python exception handling)