-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2-Factor authentication is not working #894
Comments
possibly related to #840 |
I have solved the problem and maybe there is a bug in paramiko? import paramiko
paramiko.util.log_to_file('/path/to/log')
hostname = 'server.name'
port = 12345
username = 'username'
password = 'password'
pkey = paramiko.RSAKey.from_private_key_file('/path/to/key')
transport = paramiko.Transport((hostname, port))
transport.connect()
# auth the public key as usual, auth service now is activated on server
transport.auth_publickey(username=username, key=pkey)
# try to send another userauth request without request auth service
m = paramiko.Message()
m.add_byte(paramiko.common.cMSG_USERAUTH_REQUEST)
m.add_string(username)
m.add_string('ssh-connection')
m.add_string('password')
m.add_boolean(False)
py3_password = paramiko.py3compat.bytestring(password)
m.add_string(py3_password)
transport._send_message(m)
# now it works! : )
sftp_client = paramiko.SFTPClient.from_transport(transport) Maybe something like a service lock is need in AuthHandler module, in other to avoid requesting auth service twice? |
Hi @bitprophet FYI, the server of this case is vshell |
@jacky15 Good to know, though unfortunately that makes it harder to test/troubleshoot, we almost exclusively deal with OpenSSH :( That said it's definitely possible there are some state-machine/order-of-ops bugs regarding connecting that vserver is more sensitive to, which we could fix. I don't have time to dig right now but offhand if I were you I'd:
Thanks! |
I have encountered this bug in a different way, but it's the same problem, and IMHO it's a bug in how paramiko handles authentication. What I'm doing and what is happeningI'm using Patching paramiko to display incoming and outgoing messages shows the following sequence of events:
At this point What should be happeningA connection with the OpenSSH ssh client to the same server is successful, with the following sequence of events:
Note: Steps 4 through 6 are purely optional and allow the ssh client to retrieve the list of authentication methods before trying any of them. Steps 7 and 8 are likewise optional and allow testing whether a pubkey is acceptable before requesting the passphrase for that pubkey. AnalysisThe bug in my case and in jacky15s case is in step 7 of the paramiko behaviour, vs. step 11 in the openssh behaviour. Message type 5 from RFC 4253 requests a service, in this case "ssh-userauth", which is further specified in RFC 4252. As far as I can see neither RFC specifies what is to happen if the same service is requested multiple times in sequence.
From my understanding of the RFCs all three behaviors are sane and valid. The OpenSSH ssh client behavior works with all three servers and is unconditionally safe. paramiko is at fault here. The bug happens in paramiko in the interaction between FixI haven't got a pull request for this, since I'm not comfortable with how the But the control flow in WorkaroundThe workaround provided by jacky15 is correct: The |
Hi I'm trying to connect server which ask: I tried following code:
It failed password authentication then I tried
but again authentication failed could you please tell me what actually problem is there. following is error from paramiko debug:
|
@shoaib-intro, I think your problem is distinct from the one described in this issue -- you're trying to send two text passphrases, whereas this issue is about a combined password plus public key authentication process. Please open a new issue for this problem you're facing. Thanks! |
I have opened a new issue could you please answer it! #2074 |
I encountered the same issue as described here and @jacky15's suggestion worked. Has there been any progress updating Paramiko to work better in this particular case? I feel like it might be good to have an auth method that could handle public key + password rather than having to call two that interact in an unexpected way. As for me calling What is strange is that I'm interacting with another SFTP server that also uses 'password' + 'publickey' and there calling the |
I tried https://stackoverflow.com/questions/28837089/multi-factor-authentication-password-and-key-with-paramiko/53643168#53643168 as an alternative to @jacky15's and that worked for me too. |
Possibly under the umbrella of the key/auth overhaul of #387 |
Hi there:
I am trying to connect to server which needs two authentication: public-key and password.
I always get the authentication failed exception when using paramiko to connect to server.
when I using sftp client, got the logs below:
and the paramiko logs show
here is my python code:
The text was updated successfully, but these errors were encountered: