New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can not connect to SFTP server requiring password and publickey authentication #519
Comments
last time I checked.. every time an auth function is called, it bull dozes the previous auth member of the transport. I have suggested that we not do this in a different issue all together. Pierrrrrr, can you investigate this further by stepping though with the debugger in the auth functions to verify that is the case? |
@rustyscottweber sure, not problem - what objects|attributes|lines would you like me to take a look at? |
I ran into the same issue and it seems caused by the service-request on the second auth reinitializing the authentication flow. If I made the auth handler directly send the second userauth-request without sending the service-request, this worked. Unfortunately, this appears non-trivial to fix given how Transport and AuthHandler interact right now. I think you'd need to persist self.auth_handler on the Transport between auth_* calls and have some way to note that the service-request already happened and does not need to be repeated, so you can go straight to the userauth-request. Here's my really janky code that works:
I can try to put a pull request together if that would be helpful, but I don't have a good understanding of how this all actually works (especially in error cases). |
@pierrrrrr appologies for the delay in reply, I was referring to the auth_* methods in the fashion that the auth_handler object is over written every time that a new auth method has be called. This makes authenticating against a server which requires more than one type of authentication... I would imagine difficult or impossible. |
Hello guys,
Any news about this issue? Are there plans to fix it? |
@rustyscottweber I'm hitting this too. I just fired up the debugger to get the diags that you were after, and I'm seeing (on paramiko v1.16.0) that in both In both cases I see a response like Any suggestions for further diags I can help with? Is this just as simple as not overwriting the |
I suppose you could try not obliterating the auth handler, but I'm not sure
|
Would love to see a fix for this. Does anyone have any ideas what might be causing this? |
Skimming this, it feels extremely related to #387, aka "the auth module is incredibly old and crusty and poorly architected for nontrivial use cases". Basically needs a modern rewrite with an eye for making non-base cases easier to handle and/or for users to implement arbitrary subclasses/workarounds. That ticket is pretty high on my list FWIW. |
@teamdoug Thank you very much for your work around in the earlier comment. I've converted this into a helper function that returns you a SFTP client. Including here if anyone finds it useful. def multifactor_auth_sftp_client(host, username, keyfile, passphrase, password):
"""
Return an open paramiko SFTP client to a host that requires multifactor
authentication.
"""
paramiko_logger = getLogger('paramiko')
paramiko_logger.setLevel(DEBUG)
handler = StreamHandler()
handler.setLevel(DEBUG)
handler.setFormatter(Formatter(LOG_FORMAT))
paramiko_logger.addHandler(handler)
logger.debug("Create private key object from file")
key = None
try:
key = RSAKey.from_private_key(keyfile, password=passphrase)
except PasswordRequiredException as exception:
logger.critical(exception)
logger.debug("Create an SSH transport configured to the host")
transport = Transport(host)
logger.debug("Negotiate an SSH2 session")
transport.connect()
logger.debug("Attempt authenticating using a private key")
transport.auth_publickey(username, key)
logger.debug("Create an event for password auth")
password_auth_event = Event()
logger.debug("Create password auth handler from transport")
password_auth_handler = AuthHandler(transport)
logger.debug("Set transport auth_handler to password handler")
transport.auth_handler = password_auth_handler
logger.debug("Aquire lock on transport")
transport.lock.acquire()
logger.debug("Register the password auth event with handler")
password_auth_handler.auth_event = password_auth_event
logger.debug("Set the auth handler method to 'password'")
password_auth_handler.auth_method = 'password'
logger.debug("Set auth handler username")
password_auth_handler.username = username
logger.debug("Set auth handler password")
password_auth_handler.password = password
logger.debug("Create an SSH userauth message")
userauth_message = Message()
userauth_message.add_string('ssh-userauth')
userauth_message.rewind()
logger.debug("Make the password auth attempt")
password_auth_handler._parse_service_accept(userauth_message)
logger.debug("Release lock on transport")
transport.lock.release()
logger.debug("Wait for passwort auth response")
password_auth_handler.wait_for_response(password_auth_event)
logger.debug("Create an open SFTP client channel")
sftp = transport.open_sftp_client()
return sftp |
Would love to see a fix for this too. 👍 |
What's the latest on this? |
We ran into this issue and fixed it in a derived class, running fine at the moment. The issue, as stated above, is that paramiko sends a MSG_SERVICE_REQUEST message every time. So, we added a variable that indicates if the MSG_SERVICE_REQUEST has already been sent. When it is, the code will just continue with a new MSG_USERAUTH_REQUEST. |
Anyone else struggling with this, @teamdoug has posted the workaround solution above and it's confirmed working for me. There has been lot of chatter across multiple tickets and posts about needing Paramiko to handle this and pending PR's to fix it, but his solution is the only one that is a straightforward true solution that can be used today. Thank you @teamdoug I can now use Paramiko to connect to my client's sftp server that uses both key and unix user creds. Would have never figured this out on my own. |
I've pushed my own fix for this issue at ezrast@67521f6. @bitprophet, is a rewrite of the auth system still pending? If you'd like a PR let me know; otherwise I'll assume you're still planning on fixing this internally. |
Hello
I am trying to connect to an SFTP site that requires both password and publickey authentication.
Most likely, the SFTP site is not an OpenSSH server.
Unfortunately, Paramiko is not able to authenticate despite correct credentials.
No exception is raised during
auth_publickey
orauth_password
so I am assumingthe server responds with partial success.
OpenSSH's SFTP client can connect using the same credentials.
Is there any way I could debug this further?
Pierrr
Code:
Logs:
The text was updated successfully, but these errors were encountered: