SSHClient Fails to use password authentication when local keychain exists

[erikalfthan]

When I use SSHClient to connect to a remote host with password authentication, it fails when I have a local key-file (unrelated) on the client machine. A paramiko.ssh_exception.AuthenticationException is thrown, instead of continuing to ssh password authentication.

Workaround: Use option look_for_keys=False

This workaround is only possible if you control the SSHClient object yourself, not if you use a lib built on paramiko.

Environment
File /home/<user>/.ssh/id_rsa exists (but not relevant to remote host)

Code to reproduce:

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("remotehost", username="myuser",password="mypassword")

Trace

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 273, in connect
    self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
  File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 456, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 447, in _auth
    self._transport.auth_password(username, password)
  File "/usr/local/lib/python3.4/dist-packages/paramiko/transport.py", line 1057, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.4/dist-packages/paramiko/auth_handler.py", line 165, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

Excerpt from "DEBUG-level log"

DEBUG:paramiko.transport:Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-dss; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Trying discovered key b'<removed>' in /home/<removed>/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
INFO:paramiko.transport:Disconnect (code 2): unexpected SSH_MSG_SERVICE_REQUEST

The last two lines are not logged and the exception is not thrown when connection is made with the work around:

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("remotehost", username="myuser",password="mypassword", look_for_keys=False)

DEBUG:paramiko.transport:starting thread (client mode): 0x64d76048
INFO:paramiko.transport:Connected (version 2.0, client 1.37c)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-dss'] client encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-cbc', 'arcfour', 'cast128-cbc'] server encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-cbc', 'arcfour', 'cast128-cbc'] client mac:['hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib'] server compress:['none', 'zlib'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-dss; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!

[bitprophet]

Sounds related to #387.

[phpguru]

I am using Fabric on Windows 2012 server within Git Bash.

$ fab --version
Fabric 1.13.1
Paramiko 2.1.1

Paramiko refuses to see or use any of my .pem files in ~/.ssh/* other than id_rsa

When turning on debugging, you can see that during the SSH conversation, it tries to connect only with ~/.ssh/id_rsa and ignores all other keys in ~/.ssh folder. It doesn't matter if I add the keys to the Git Bash session or not.

The only workaround I have found is to forcibly add id_rsa.pub to all the remote systems ~/.ssh/authorized_keys or to dynamically change the symlink ~/.ssh/id_rsa is pointing to during script execution.

Edit: Reading #387 it's clear this is probably the wrong place for this note.

[dharasty]

I encountered this on Ubutnu 16, Python 2.7, paramiko 2.3.0.

Using 'allow_agent' and 'look_for_keys' fixed the issue for me, as per this StackOverflow post

In summary:

ssh.connect('localhost',username=name,password=pw,allow_agent=False,look_for_keys=False)

[cernerae]

Like dharasty said:

ssh.connect('localhost',username=name,password=pw,allow_agent=False,look_for_keys=False)

It'll fail to find the public key but then use password auth and succeed. Annoying but it works.

[jarora11]

The workaround will work if you are using paramiko directly. But if you are using a wraparound library like invoke or fabric, you can't override the default paramiko behavior of look_for_keys.

If someone has found a way to do that, please post it.

[ploxiln]

For Fabric-1.x, you can use the command-line options --no-keys and --no_agent, or you can set env.no_keys and env.no_agent

For Fabric-2.x, you can use config values connect_kwargs.allow_agent and connect_kwargs.look_for_keys in whatever is the normal way to set connect_kwargs for Fabric-2 ...

[mitchmahan]

Still seeing this issue in latest paramiko 2.11.0

Does not happen in 2.6.0 and broken in 2.7.0