[SUPPORT] - Authentication failed when connected to remote host that only allows key authentication and non-interactive commands

[samoils]

Are you using paramiko as a client or server?

Client

What feature(s) aren't working right?

SSH, Keys/auth

What version(s) of paramiko are you using?

3.4.0

What version(s) of Python are you using?

3.11.6

What operating system and version are you using?

Windows 11

If you're connecting as a client, which SSH server are you connecting to?

No response

If you're using paramiko as part of another tool, which tool/version?

No response

What are you trying to do with paramiko?

I'm trying to connect to a remote host that requires key authentication and only allows non-interactive commands. I've tried both an ssh-rsa key and a ssh-ed25519 key and in both cases I get an error "Authentication (publickey) failed". I have confirmed both keys work when directly using ssh to connect to the remote host however it fails when connecting using paramiko.

How are you trying to do it, and what's happening instead?

Sample code that gives the error. The expected outcome would be that it properly connects to the remote host.

import os
import sys
import logging

import paramiko

ssh = paramiko.SSHClient()
myhostname = r'REMOTEHOST'
myusername = 'USERNAME'
mypassword = r'PASSWORD'

def main():
    logging.basicConfig()
    logging.getLogger('paramiko').setLevel(logging.DEBUG)

    #privatekey = paramiko.Ed25519Key.from_private_key_file(r'PATH_TO_KEY', password=mypassword)
    privatekey = paramiko.RSAKey.from_private_key_file(r'PATH_TO_KEY', password=mypassword)

    ssh = paramiko.SSHClient()
    ssh.load_system_host_keys()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(hostname=myhostname, username=myusername, passphrase=mypassword, pkey=privatekey, allow_agent=False, look_for_keys=False)

    ssh.close()



if __name__ == '__main__':
    main()

Error output when using ssh-rsa key:

DEBUG:paramiko.transport:starting thread (client mode): 0x1b7a31d0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_3.4.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.4)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group18-sha512, diffie-hellman-group16-sha512, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha256
DEBUG:paramiko.transport:server key: ssh-ed25519, ssh-rsa, rsa-sha2-512, rsa-sha2-256
DEBUG:paramiko.transport:client encrypt: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
DEBUG:paramiko.transport:server encrypt: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
DEBUG:paramiko.transport:client mac: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
DEBUG:paramiko.transport:server mac: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
DEBUG:paramiko.transport:client compress: none, zlib@openssh.com
DEBUG:paramiko.transport:server compress: none, zlib@openssh.com
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: curve25519-sha256@libssh.org
DEBUG:paramiko.transport:HostKey: ssh-ed25519
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Trying SSH key b'SNIP'
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'rsa-sha2-256,rsa-sha2-512'}
DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['rsa-sha2-256', 'rsa-sha2-512']
DEBUG:paramiko.transport:Agreed upon 'rsa-sha2-512' pubkey algorithm
INFO:paramiko.transport:Authentication (publickey) failed.
Traceback (most recent call last):
  File "d:\code\network_test.py", line 33, in <module>
    main()
  File "d:\code\network_test.py", line 24, in main
    ssh.connect(hostname=myhostname, username=myusername, passphrase=mypassword, pkey=privatekey, allow_agent=False, look_for_keys=False)
  File "D:\code\.venv\Lib\site-packages\paramiko\client.py", line 485, in connect
    self._auth(
  File "D:\code\.venv\Lib\site-packages\paramiko\client.py", line 818, in _auth
    raise saved_exception
  File "D:\code\.venv\Lib\site-packages\paramiko\client.py", line 716, in _auth
    self._transport.auth_publickey(username, pkey)
  File "D:\code\.venv\Lib\site-packages\paramiko\transport.py", line 1674, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\code\.venv\Lib\site-packages\paramiko\auth_handler.py", line 263, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.
DEBUG:paramiko.transport:EOF in transport thread

Error output when using ssh-ed25519 key:

DEBUG:paramiko.transport:starting thread (client mode): 0xda10bdd0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_3.4.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.4)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group18-sha512, diffie-hellman-group16-sha512, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha256
DEBUG:paramiko.transport:server key: ssh-ed25519, ssh-rsa, rsa-sha2-512, rsa-sha2-256
DEBUG:paramiko.transport:client encrypt: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
DEBUG:paramiko.transport:server encrypt: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
DEBUG:paramiko.transport:client mac: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
DEBUG:paramiko.transport:server mac: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
DEBUG:paramiko.transport:client compress: none, zlib@openssh.com
DEBUG:paramiko.transport:server compress: none, zlib@openssh.com
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: curve25519-sha256@libssh.org
DEBUG:paramiko.transport:HostKey: ssh-ed25519
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Trying SSH key b'SNIP'
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'rsa-sha2-256,rsa-sha2-512'}
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
Traceback (most recent call last):
  File "d:\code\network_test.py", line 33, in <module>
    main()
  File "d:\code\network_test.py", line 24, in main
    ssh.connect(hostname=myhostname, username=myusername, passphrase=mypassword, pkey=privatekey, allow_agent=False, look_for_keys=False)
  File "D:\code\.venv\Lib\site-packages\paramiko\client.py", line 485, in connect
    self._auth(
  File "D:\code\.venv\Lib\site-packages\paramiko\client.py", line 818, in _auth
    raise saved_exception
  File "D:\code\.venv\Lib\site-packages\paramiko\client.py", line 716, in _auth
    self._transport.auth_publickey(username, pkey)
  File "D:\code\.venv\Lib\site-packages\paramiko\transport.py", line 1674, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\code\.venv\Lib\site-packages\paramiko\auth_handler.py", line 263, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.
DEBUG:paramiko.transport:EOF in transport thread

Anything else?

No response