Authentication failed with public key

[sprenge]

The remote side accepts the connection using the public key but paramiko still gives an error. Seems to be a bug in paramiko==2.4.0 (ubuntu 16.04, python 3)

Stack trace :
File "/usr/local/lib/python3.5/dist-packages/pysftp/init.py", line 143, in init
self._transport.connect(**self._tconnect)
File "/usr/local/lib/python3.5/dist-packages/paramiko/transport.py", line 1205, in connect
self.auth_publickey(username, pkey)
File "/usr/local/lib/python3.5/dist-packages/paramiko/transport.py", line 1450, in auth_publickey
return self.auth_handler.wait_for_response(my_event)
File "/usr/local/lib/python3.5/dist-packages/paramiko/auth_handler.py", line 226, in wait_for_response
raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

[sprenge]

Remark, I can ssh to the host without any problem, without specifying a password

[holmanb]

Same issue, same version. I can ssh from the command line, but Paramiko fails using the rsa key. Any word on this?
Paramiko==2.4.0 (CentOS 7, python 3.4).
Stack Trace:

 File "/usr/lib/python3.4/site-packages/paramiko/client.py", line 424, in connect
    passphrase,
  File "/usr/lib/python3.4/site-packages/paramiko/client.py", line 714, in _auth
    raise saved_exception
  File "/usr/lib/python3.4/site-packages/paramiko/client.py", line 691, in _auth
    self._transport.auth_publickey(username, key))
  File "/usr/lib/python3.4/site-packages/paramiko/transport.py", line 1450, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/lib/python3.4/site-packages/paramiko/auth_handler.py", line 226, in wait_for_response
    raise e

[tantorrrr]

anyone here for help, I met this issue too

[alexanderhawl]

i also met this issue too, i donot know how to solve it

[eldridgea]

I am seeing the same issue when using the example file rforward.py. rforward.py works when authenticating with a password, and standard SSH works when authenticating with a private key.

For reference here is the output in syslog on the SSH server:

Jun 22 22:49:41 ubuntu-s-1vcpu-1gb-sfo2-01 sshd[9275]: Connection closed by authenticating user $USER $IP_ADDRESS 60836 [preauth]

[bitprophet]

Can y'all try differing Paramiko versions to see if this was introduced at a specific point in time? More details on your exact keys (eg number of bits, how they were generated, etc) might shed a clue as well - RSA in general clearly still works for most users so something more specific must be at work here.

[dpbus]

Also ran into this issue and it seems to be related to the key format. From what I can tell, private keys in the RFC4716 format are not supported by paramiko, while PEM (and maybe other) formatted keys are. Or, perhaps the version of openssl on the box where you're running determines the support of different key formats.

I seems on recent versions of MacOS, ssh-keygen defaults to RFC4716 format, so those keys I generate on my mac were not working for me. Keys that I've generated on a linux box (debian) or using the -m PEM flag on MacOS do seem to work though.

[kariya2]

Running into the same issue, any update?

[ffleandro]

I'm also seeing this issue using paramiko 2.4.2.
Here is the /var/log/auth.log on the server side:

Mar 7 08:36:22 serverhostname sshd[7021]: Connection closed by 177.206.230.70 port 60465 [preauth]

I can log to the server passing the private key file using the ssh -i key

[ffleandro]

@dpbus How can I check if my private key is in PEM format or RFC4716?
Can I convert the private key without modifying my public key?
How can I convert it to paramiko expected format?

[ffleandro]

After reading some more, I found that a PEM key file starts with
—–BEGIN RSA PRIVATE KEY—–

And a RFC4716 starts with:
—–BEGIN OPENSSH PRIVATE KEY—–

My file is a PEM key file, so it is not the problem @dpbus mentioned.
Any comments?

[eepstein]

@ffleandro (or anyone else) any resolution on this?

[ffleandro]

@eepstein Yes I solved the following way. I don't remember the previous code but I think I was opening the key the wrong way or I was passing the password to the connect instead of passing when opening the key.

key = paramiko.RSAKey.from_private_key_file('key/file/path', password='key_password')
warnings.filterwarnings(action='ignore',module='.*
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(host, username=user, port=port, password=password, look_for_keys=False, pkey=key)

[bitprophet]

This smells like another dupe of the handful of missing-OpenSSH-feature tickets out there (there's at least 3-4). Please keep an eye on the changelog over the next few weeks/months!

[jamesharris-garmin]

@bitprophet I don't think there is an existing ticket for this issue. (after doing some searching) should we re-open this ticket? or create a more formal request for this ticket with a simple use case?

It seems like more people are running to this issue as openssh v8 is deployed more widely.

Reference information is: https://coolaj86.com/articles/the-openssh-private-key-format/

[ploxiln]

for the new openssh private key format see #1343

[Chaz6]

I have confirmed with exactly the same code, paramiko 2.8.1 works whereas any version from 2.9.0 onwards does not (up to 2.11.0).

Sample code:-

pkey = paramiko.RSAKey.from_private_key_file(LOGIN_KEY_FILE)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname=HOSTNAME,username=LOGIN_USERNAME,password=LOGIN_PASSWORD,sock=jumpbox_channel,pkey=pkey,look_for_keys=False)

Edit: I fixed this as follows:-

pkey = paramiko.RSAKey.from_private_key_file(LOGIN_KEY_FILE)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname=HOSTNAME,username=LOGIN_USERNAME,password=LOGIN_PASSWORD,sock=jumpbox_channel,pkey=pkey,look_for_keys=False,disabled_algorithms={'pubkeys': ['rsa-sha2-512', 'rsa-sha2-256']})

[andyhasit]

I am also getting this error when I connect to one server, but not another. Both servers use the same keys (hobby project). I can ssh into both. Paramiko works on one server but fails on the other, and the error message really makes it look like a local issue. I tried versions 2.4 - 2.11.

[bskinn]

@andyhasit If you're seeing this same error, but in a fashion that's different from the manifestation OP was seeing and one that you're having trouble debugging, your best bet is probably to create a new issue and link back to this one.

You might also get some help on Stack Overflow, not sure.

[zhenfzha]

I have the same issue. It seems to be stuck here,
[paramiko.transport] INFO Connected (version 2.0, client X)
[paramiko.transport] INFO Authentication (publickey) failed.
[paramiko.transport] INFO Authentication (keyboard-interactive) successful!
I can provide the debug log

[bskinn]

@zhenfzha As above, if you're seeing this same error, but in a fashion that's different from what the OP was seeing and one that you're having trouble debugging, your best bet is probably to create a new issue and link back to this one.

You might also get some help on Stack Overflow, not sure.