Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upClient password authentication does not work on OpenSSH server versions < 7.0 #155
Comments
Rahul-RB
changed the title
pkittenis
changed the title
pkittenis
changed the title
|
Hi there, Thanks for the interest and report. Let's not mix in #141 - the OP has not responded and there is no guarantee it is same issue. It is not uncommon for the two clients to have different behaviour - they use different libraries. If paramiko works for you as a work around then great, but it is deprecated and pending removal. I don't think this is related to password auth, or python version, hence bug label removal. It is more likely the server is using a host key the library does not support. Should be able to confirm by looking at server logs when the native client connects. If you can also post server config to reproduce this with, that would be useful. Without being able to reproduce there is nothing to be done. |
|
Hi! Can you please tell me what server configs will be helpful? |
|
Contents of |
|
|
Unable to replicate so far - both Might be worth seeing if there is anything logged by the SSH server on the unsuccessful attempts. Usually this is in |
|
I can confirm the same issue when connecting to ESXi hosts. None of my Ubuntu hosts have problems connecting to when using native client. Its easy to repro if you have any VMware ESXi 6.0 hosts. While using paramiko client works fine. The problem is I would like to use the native client exclusively since the paramiko client will be removed in the future. ~# python3 test_pssh.py During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): |
|
I haven't tried with python2 so I cannot comment on whether this problem is exclusively with python3. I debugged a little further but I can conclude that the password is being passed correctly to native client. In spite of this I get an authentication failed error, which cannot be right. |
|
Hi @pkittenis , please find attached the auth.log file which has the lines only for the connection I tried via PSSH Native client., (I did Also, can confirm with @spctm , the VMs I'm connecting to are on VMWare ESXi 6.7.0. Please do let me now if there's any other information required since ESXi is a licensed product. |
@pkittenis , if it's any help, the latest Paramiko Client throws these warnings when trying to connect: I guess the two sets of warnings are repeated since I connect to two IPs at once. |
|
Thanks for the info, that is very useful. Could you also confirm the version of SSH server used - The fact they are VMs should not matter - the protocol does not change. The above paramiko warnings do not seem relevant either. The auth log shows it is failing in preauth, meaning password auth itself is not the issue. I suspect the hash algorithm used for password auth by the server is not supported by the version of libssh2 used - can confirm if this is the case once able to reproduce. Seem to recall FreeBSD has disabled SHA1, which might explain it. |
|
Hi, Sure. Though my Regards. |
|
I'm seeing the same behavior/errors as the OP when running the native client against systems with older versions of OpenSSH. The following machines return fine (with v2.5.0 and above): OpenSSH_7.4p1, LibreSSL 2.5.0 OpenSSH_7.9p1, LibreSSL 2.7.3 But I receive the "Password authentication failed" AuthenticationException from the systems below: OpenSSH_6.9p1, LibreSSL 2.1.8 OpenSSH_6.9p1, LibreSSL 2.1.8 OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 Not having issues when using Paramiko or ssh for any of the above. |
|
@nealdav Are those machines running on ESXi? Because if not, then I guess it's purely a case of older OpenSSH versions not being supported. |
They are not and where ssh config is concerned, they are stock machines, so older OpenSSH version support would appear to be a factor. |
|
Confirmed that using the native client, I'm able to successfully connect using private key auth to the systems above that were failing previously. So the issue appears to be specific to password-based auth on older OpenSSH versions. |
|
Hi @pkittenis any chance for older OpenSSH version support? |
|
Haven't had a chance to test yet I'm afraid. I did find a VM image of freebsd with the above openssh version to test with. Will get to it when free time allows (not much of that these days). If anyone has the time to help investigate, a from source build of libssh2 with debug traces enabled (ENABLE_DEBUG_LOGGING=ON cmake directive) and a debug log output of it connecting to <7.0 openssh would be most helpful. This will need a from source install of ssh2-python as well. |
|
@pkittenis No issues. I'll try making getting the FreeBSD image used for my installation and convert it into docker image this weekend. I'll post the link if I succeed. |
|
Freebsd cannot be run in docker apparently - have checked - hence the VM image which is provided by the freebsd project. VM is fine to test with. |
|
I see. Sure, I'll try obtaining a VM image of my current system and figure out a way to give a downloadable link. |
|
Meant that there is one available already. |
|
I'm getting the same error as well with Python 3.6.0 built from source on a Raspberry Pi with Stretch, so it's Raspbian 9 which is Debian based. ssh keys are configured for password-less login with the username ( pi@localhost ) being used with parallessh. The simple example on the parallelssh front page (https://github.com/ParallelSSH/parallel-ssh) fails with this error: ssh version: OpenSSH_7.4p1 Raspbian-10+deb9u6, OpenSSL 1.0.2r 26 Feb 2019 auth log indicates: May 3 00:11:14 iceCold sshd[1686]: Received disconnect from 127.0.0.1 port 60068:11: end [preauth] What else would help??? |
pkittenis
changed the title
pkittenis
changed the title
|
@comperem That does not look like same issue. Issue here is password authentication with OpenSSH servers < 7.0. Yours is pub key auth with 7.4. That is integration tested and known to work. The error message is also different and is saying the pub key did not work and no other auth methods are available. Suggest to confirm the same authentication method works with ssh binary first, then if not working only with library can raise a new issue with code to reproduce. If it does not work with ssh it will not work with the library either and that's not a code issue with library. |
|
Ok thank you. Agreed on all points.
I hadn't noticed the detail you did.
my ssh binary works fine with the pub key auth.
I'll investigate further.
…On Fri, May 3, 2019, 8:05 AM Panos ***@***.***> wrote:
@comperem <https://github.com/comperem> That does not look like same
issue. Issue here is password authentication with OpenSSH servers < 7.0.
Yours is pub key auth with 7.4. That is integration tested and known to
work. The error message is also different and is saying the pub key did not
work and no other auth methods are available.
Suggest to confirm the same authentication method works with ssh binary
first, then if not working only with library can raise a new issue with
code to reproduce. If it does not work with ssh it will not work with the
library either and that's not a code issue with library.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#155 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AG7MPYSD6IPNMRPFFXKZMTDPTQS7ZANCNFSM4GW4WYQA>
.
|
|
I'm also having the same exact password authentication issue on OpenSSH for Windows 8.0. p1, LibreSSL 2.6.5. I'm using Python 3.7.4. Public/private key authentication works perfectly with both paramiko and pssh. Password authentication works with paramiko but not pssh. Below is the cmd message after running my pssh code: C:\Users\Administrator\Desktop\without pw>python connect-lin-pssh.py During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): File "src\gevent\greenlet.py", line 766, in gevent._greenlet.Greenlet.run File "C:\Python3.7.4\lib\site-packages\gevent\threadpool.py", line 281, in _wo C:\Users\Administrator\Desktop\without pw>python connect-lin-pssh.py During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): File "src\gevent\greenlet.py", line 766, in gevent._greenlet.Greenlet.run File "C:\Python3.7.4\lib\site-packages\gevent\threadpool.py", line 281, in _wo I double checked ssh_config as well. Not sure why this is not working. Please advisde... Thank you. |
|
I am experiencing the same issue trying to connect to a SLES12-SP3 running OpenSSH_7.2p2 with username and password. It works fine on a different server running OpenSSH_7.4p1. self.session.userauth_password(user, password) |
|
Same error here: |
Bug report:
I have a remote host (say as some IP
ip1). I can connect to it:pssh.clients.miko.parallel.ParallelSSHClient).sshcommand.But using the Native parallel client is giving errors
Steps to reproduce: (Same steps as for Paramiko parallel client code above, just replace the import)
Expected behaviour: Give the outputs of commands.
Actual behaviour:
Gives a whole bunch of authentication errors:
Additional info:
psshversion1.9.1ssh2_pythonversion0.17.0paramikoversion2.4.2