[BUG] - Auth works on 2.12.0 but fails on 3.4.0

[SamuelMarks]

Are you using paramiko as a client or server?

Client

What feature(s) aren't working right?

SSH, Keys/auth

What version(s) of paramiko are you using?

3.4.0

What version(s) of Python are you using?

2.7.18 (with 2.12.0) or 3.12.2 (with 3.4.0)

What operating system and version are you using?

Both fail on Windows; on Ubuntu 24.04 with 6.8.1 kernel only 3.4.0 fails

If you're connecting as a client, which SSH server are you connecting to?

OpenSSH 8.9p1 with OpenSSL 3.0.2

If you're using paramiko as part of another tool, which tool/version?

No response

Expected/desired behavior

Auth to work

Actual behavior

Auth fails

How to reproduce

https://github.com/offscale/offshell/blob/master/offshell/__init__.py#L170

Anything else?

On 3.4.0:

DEB [20240402-16:01:25.603] thr=1   paramiko.transport: starting thread (client mode): 0x1536bd70
DEB [20240402-16:01:25.603] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.8.10
DEB [20240402-16:01:25.628] thr=1   paramiko.transport: Remote version/idstring: 'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6'
INF [20240402-16:01:25.628] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_8.9p1)
DEB [20240402-16:01:25.642] thr=1   paramiko.transport: kex follows? False

[...]

DEB [20240402-16:01:25.643] thr=1   paramiko.transport: Kex agreed: curve25519-sha256@libssh.org
DEB [20240402-16:01:25.643] thr=1   paramiko.transport: HostKey agreed: ssh-ed25519
DEB [20240402-16:01:25.643] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20240402-16:01:25.643] thr=1   paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20240402-16:01:25.643] thr=1   paramiko.transport: Compression agreed: none
DEB [20240402-16:01:25.707] thr=1   paramiko.transport: kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEB [20240402-16:01:25.707] thr=1   paramiko.transport: Switch to new keys ...
DEB [20240402-16:01:25.777] thr=1   paramiko.transport: userauth is OK
DEB [20240402-16:01:25.799] thr=1   paramiko.transport: Authentication type (none) not permitted.
DEB [20240402-16:01:25.799] thr=1   paramiko.transport: Allowed methods: ['publickey']
DEB [20240402-16:01:25.887] thr=2   paramiko.transport: Trying discovered key omit3 in [path_to]/file.pem
DEB [20240402-16:01:25.902] thr=1   paramiko.transport: userauth is OK
INF [20240402-16:01:25.926] thr=1   paramiko.transport: Authentication (publickey) failed.
DEB [20240402-16:01:25.927] thr=2   paramiko.transport: Trying SSH agent key omit2
DEB [20240402-16:01:25.942] thr=1   paramiko.transport: userauth is OK
INF [20240402-16:01:25.965] thr=1   paramiko.transport: Authentication (publickey) failed.
DEB [20240402-16:01:25.965] thr=2   paramiko.transport: Trying SSH agent key omit1
DEB [20240402-16:01:25.980] thr=1   paramiko.transport: userauth is OK
INF [20240402-16:01:26.003] thr=1   paramiko.transport: Authentication (publickey) failed.
DEB [20240402-16:01:26.004] thr=2   paramiko.transport: Trying discovered key [omit0] in [omit]/id_ed25519
DEB [20240402-16:01:26.019] thr=1   paramiko.transport: userauth is OK
INF [20240402-16:01:26.040] thr=1   paramiko.transport: Authentication (publickey) failed.

Whereas on 2.12.0 it works:

DEB [20240402-16:03:46.171] thr=1   paramiko.transport: starting thread (client mode): 0x78756490L
DEB [20240402-16:03:46.171] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.12.0
DEB [20240402-16:03:46.197] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
INF [20240402-16:03:46.197] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_8.9p1)
DEB [20240402-16:03:46.212] thr=1   paramiko.transport: === Key exchange possibilities ===
DEB [20240402-16:03:46.212] thr=1   paramiko.transport: kex algos: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, sntrup761x25519-sha512@openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, kex-strict-s-v00@openssh.com
DEB [20240402-16:03:46.212] thr=1   paramiko.transport: server key: rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ssh-ed25519
DEB [20240402-16:03:46.212] thr=1   paramiko.transport: client encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: server encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: client mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: server mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: client compress: none, zlib@openssh.com
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: server compress: none, zlib@openssh.com
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: client lang: <none>
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: server lang: <none>
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: kex follows: False
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: === Key exchange agreements ===
DEB [20240402-16:03:46.213] thr=1   paramiko.transport: Kex: curve25519-sha256@libssh.org
DEB [20240402-16:03:46.214] thr=1   paramiko.transport: HostKey: ssh-ed25519
DEB [20240402-16:03:46.214] thr=1   paramiko.transport: Cipher: aes128-ctr
DEB [20240402-16:03:46.214] thr=1   paramiko.transport: MAC: hmac-sha2-256
DEB [20240402-16:03:46.214] thr=1   paramiko.transport: Compression: none
DEB [20240402-16:03:46.214] thr=1   paramiko.transport: === End of kex handshake ===
DEB [20240402-16:03:46.276] thr=1   paramiko.transport: kex engine KexCurve25519 specified hash_algo <built-in function sha256>
DEB [20240402-16:03:46.277] thr=1   paramiko.transport: Switch to new keys ...
DEB [20240402-16:03:46.277] thr=1   paramiko.transport: Got EXT_INFO: {u'publickey-hostbound@openssh.com': '0', u'server-sig-algs': 'ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com'}
DEB [20240402-16:03:46.285] thr=2   paramiko.transport: Trying discovered key omit0 in [omit0_path/].pem
DEB [20240402-16:03:46.350] thr=1   paramiko.transport: userauth is OK
DEB [20240402-16:03:46.350] thr=1   paramiko.transport: Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEB [20240402-16:03:46.350] thr=1   paramiko.transport: Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEB [20240402-16:03:46.350] thr=1   paramiko.transport: Server-side algorithm list: [u'ssh-ed25519', u'sk-ssh-ed25519@openssh.com', u'ssh-rsa', u'rsa-sha2-256', u'rsa-sha2-512', u'ssh-dss', u'ecdsa-sha2-nistp256', u'ecdsa-sha2-nistp384', u'ecdsa-sha2-nistp521', u'sk-ecdsa-sha2-nistp256@openssh.com', u'webauthn-sk-ecdsa-sha2-nistp256@openssh.com']
DEB [20240402-16:03:46.350] thr=1   paramiko.transport: Agreed upon 'rsa-sha2-512' pubkey algorithm
INF [20240402-16:03:46.378] thr=1   paramiko.transport: Authentication (publickey) successful!
DEB [20240402-16:03:46.386] thr=2   paramiko.transport: [chan 0] Max packet in: 32768 bytes
DEB [20240402-16:03:47.110] thr=1   paramiko.transport: Received global request "hostkeys-00@openssh.com"
DEB [20240402-16:03:47.110] thr=1   paramiko.transport: Rejecting "hostkeys-00@openssh.com" global request from server.
DEB [20240402-16:03:47.110] thr=1   paramiko.transport: Debug msg: [omit]/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
DEB [20240402-16:03:47.166] thr=1   paramiko.transport: [chan 0] Max packet out: 32768 bytes
DEB [20240402-16:03:47.166] thr=1   paramiko.transport: Secsh channel 0 opened.
DEB [20240402-16:03:47.206] thr=1   paramiko.transport: [chan 0] Sesch channel 0 request ok
DEB [20240402-16:03:47.224] thr=1   paramiko.transport: [chan 0] Sesch channel 0 request ok
DEB [20240402-16:03:52.172] thr=1   paramiko.transport: [chan 0] EOF received (0)
DEB [20240402-16:03:52.172] thr=2   paramiko.transport: [chan 0] EOF sent (0)
DEB [20240402-16:03:52.273] thr=1   paramiko.transport: EOF in transport thread

[jun66j5]

On 3.4.0:

DEB [20240402-16:01:25.603] thr=1   paramiko.transport: starting thread (client mode): 0x1536bd70
DEB [20240402-16:01:25.603] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.8.10
...

You said using paramiko 3.4.0 however 2.8.10 is logged. Please recheck your environment.

[SamuelMarks]

@jun66j5 Oh you're right. Weird:

/tmp$ python3.12 -m offshell -n nodename0
env-3-12/lib/python3.12/site-packages/paramiko/transport.py:178: CryptographyDeprecationWarning: Blowfish has been deprecated and will be removed in a future release
  'class': algorithms.Blowfish,
*** Caught exception: <class 'paramiko.ssh_exception.AuthenticationException'>: Authentication failed.
Traceback (most recent call last):

But my logfile says:

DEB [20240402-18:15:25.953] thr=1   paramiko.transport: starting thread (client mode): 0xa8baa1e0
DEB [20240402-18:15:25.954] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.8.10
DEB [20240402-18:15:25.979] thr=1   paramiko.transport: Remote version/idstring: 'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6'
INF [20240402-18:15:25.979] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_8.9p1)
DEB [20240402-18:15:25.993] thr=1   paramiko.transport: kex follows? False

Hmm:

$ python3.12 -m pip freeze | grep -F paramiko
paramiko==3.4.0
paramiko-ng==2.8.10

[jun66j5]

Try pip list -v | grep -F paramiko to show the location.

[jun66j5]

$ python3.12 -m pip freeze | grep -F paramiko
paramiko==3.4.0
paramiko-ng==2.8.10

It is caused by paramiko-ng which has the version 2.8.10. Uninstall paramiko-ng.

[jun66j5]

That is absolutely an installation issue, not a bug.