Paramiko-错误的身份验证类型[Cisco SG-300交换机] [英] Paramiko - Bad Authentication Type [Cisco SG-300 Switch]

问题描述

我在以下链接上的ssh上使用配置脚本。该脚本并不重要，重要的是导入parmaiko模块。但我添加了一个链接：

I use the configuration script over the ssh on the following link.The Script is not important, the important thing is that importing parmaiko module. But I added a link:

https ：//github.com/enessanal/NetConfPy/blob/master/netconf.py

和相关代码段：

import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
    ssh.connect(hostname=host,port=port,username=username,password=password,timeout=timeout)
except Exception as exception:
    print(str(exception))

该脚本可以成功运行所有linux设备，包括旧型号的HP交换机，除了一台设备，即SG-300交换机。我想我明白问题所在。问题与交换机有关。
这种类型的开关的行为不同。当使用ssh命令或通过Putty尝试正常的ssh连接时，会出现两种身份验证机制。第一个是登录为。另一个是用户名。我们对第二个感兴趣。但是程序（paramiko客户端）不能绕过登录为。部分。并抛出错误的身份验证类型。每次都例外。
如何解决此问题？还是有另一种通过ssh连接自动配置的方法？

The script run successfully all linux devices including old model HP switches except one device, Cisco SG-300 Switch. I think I understand the problem. The problem is about the Switch. This type of switches behave differently. When trying a normal ssh connection with ssh command or through Putty, two authentication mechanisms occur. First one is "Login as" and the other one is "username". We interested in the second one. But the program (paramiko client) can not bypass "login as" part. And throw "Bad authentication type" Exception for every time. How can I solve this problem? Or is there another method for automate configurations through ssh connection?

调试信息：

OpenSSH_7.9p1 Debian-1, OpenSSL 1.1.1  11 Sep 2018

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 10.39.31.11 is address
debug2: ssh_connect_direct
debug1: Connecting to 10.39.31.11 [10.39.31.11] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1.RL
debug1: match: OpenSSH_7.3p1.RL pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 10.39.31.11:22 as 'root'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from 10.39.31.11
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 1001/2048
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:dS79N4clCGySrehvWW5kpCRgm3VXlYClD0pyoaYSNoQ
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from 10.34.35.11
debug1: Host '10.39.31.11' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:9
debug2: bits set: 1068/2048
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa 
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (none).

Authenticated to 10.39.31.11 ([10.39.31.11]:22).

debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x08
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_CONNECTION
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env USER
debug3: Ignored env PWD
debug3: Ignored env HOME
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SSH_TTY
debug3: Ignored env MAIL
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env SHLVL
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PATH
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0




User Name:wrong_credentils_don't_effect_the_logs
Password:***

User Name:cisco
Password:************

Switch1>exit
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug2: channel 0: output open -> drain
debug2: channel 0: chan_shutdown_read (i0 o1 sock -1 wfd 6 efd 8 [write])
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i3 o1 sock -1 wfd 7 efd 8 [write])
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/8 sock -1 cc -1)

debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Connection to 10.39.31.11 closed.
Transferred: sent 3552, received 2776 bytes, in 28.7 seconds
Bytes per second: sent 123.9, received 96.8
debug1: Exit status -1

和paramiko日志文件：

And paramiko log file:

DEB [20181204-11:25:17.677] thr=1   paramiko.transport: starting thread (client mode): 0x3c1fed0
DEB [20181204-11:25:17.677] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20181204-11:25:17.695] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.3p1.RL
INF [20181204-11:25:17.695] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_7.3p1.RL)
DEB [20181204-11:25:18.015] thr=1   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: Kex agreed: diffie-hellman-group-exchange-sha1
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: HostKey agreed: ssh-rsa
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: MAC agreed: hmac-sha1
DEB [20181204-11:25:18.016] thr=1   paramiko.transport: Compression agreed: none
DEB [20181204-11:25:18.027] thr=1   paramiko.transport: Got server p (2048 bits)
DEB [20181204-11:25:18.459] thr=1   paramiko.transport: kex engine KexGex specified hash_algo <built-in function openssl_sha1>
DEB [20181204-11:25:18.459] thr=1   paramiko.transport: Switch to new keys ...
DEB [20181204-11:25:18.460] thr=2   paramiko.transport: Adding ssh-rsa host key for 10.39.31.11: b'd6d12a09458873202a0e271b90d38a7d'
DEB [20181204-11:25:18.936] thr=1   paramiko.transport: userauth is OK
DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Authentication type (password) not permitted.
DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Allowed methods: ['']
DEB [20181204-11:25:18.941] thr=1   paramiko.transport: EOF in transport thread
DEB [20181204-11:25:18.946] thr=3   paramiko.transport: starting thread (client mode): 0x386b0f0
DEB [20181204-11:25:18.947] thr=3   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20181204-11:25:19.245] thr=3   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.3p1.RL
INF [20181204-11:25:19.245] thr=3   paramiko.transport: Connected (version 2.0, client OpenSSH_7.3p1.RL)
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'chacha20-poly1305@openssh.com'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: Kex agreed: diffie-hellman-group-exchange-sha1
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: HostKey agreed: ssh-rsa
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20181204-11:25:19.566] thr=3   paramiko.transport: MAC agreed: hmac-sha1
DEB [20181204-11:25:19.567] thr=3   paramiko.transport: Compression agreed: none
DEB [20181204-11:25:19.576] thr=3   paramiko.transport: Got server p (2048 bits)
DEB [20181204-11:25:19.946] thr=3   paramiko.transport: kex engine KexGex specified hash_algo <built-in function openssl_sha1>
DEB [20181204-11:25:19.946] thr=3   paramiko.transport: Switch to new keys ...
DEB [20181204-11:25:19.947] thr=2   paramiko.transport: Adding ssh-rsa host key for 10.39.31.11: b'd6d12a09458873202a0e271b90d38a7d'
DEB [20181204-11:25:20.486] thr=3   paramiko.transport: userauth is OK
DEB [20181204-11:25:20.491] thr=3   paramiko.transport: Authentication type (password) not permitted.
DEB [20181204-11:25:20.491] thr=3   paramiko.transport: Allowed methods: ['']
DEB [20181204-11:25:20.492] thr=3   paramiko.transport: EOF in transport thread

异常字符串程序抛出：

[*] Testing connection...
[*] Getting banner...
[+] Banner => SSH-2.0-OpenSSH_7.3p1.RL
[-] Failed to connect => 10.39.31.11:22 (('Bad authentication type', ['']) (allowed_types=['']))
[*] Exiting...

非常感谢。

Cisco ssh连接屏幕

推荐答案

服务器（交换机）不支持任何SSH身份验证方法：

The server (switch) does not support any SSH authentication methods:

DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Authentication type (password) not permitted.
DEB [20181204-11:25:18.940] thr=1   paramiko.transport: Allowed methods: ['']

它实际上使用简单的I / O（类似于Telnet）来提示输入凭据。

It actually uses simple I/O (Telnet-like) to prompt for credentials.

正如您指示Paramiko使用标准SSH密码身份验证（通过向 SSHClient.connect（）提供密码，密码将失败。

As you instructed Paramiko to use standard SSH password authentication (by providing a password to SSHClient.connect()), it fails.

Paramiko（与<$ c相反） $ c> ssh ）不支持无身份验证（或不直接）。

Paramiko (contrary to ssh) does not support "none" authentication (or not directly).

尽管这可能有效：

• 不提供密码至 SSHClient.connect（）


• SSHClient.connect（）应该会失败，并出现 SSHException（'No可用的身份验证方法'）-吞噬该异常



• 现在您已连接到服务器，但未通过身份验证。要使用无 SSH身份验证进行身份验证，请调用 Transport.auth_none（） ：

• Do not provide password to SSHClient.connect()
• SSHClient.connect() should fail with SSHException('No authentication methods available') - swallow that exception

• Now you are connected to the server, but not authenticated. To authenticate using "none" SSH authentication, call Transport.auth_none():

ssh.get_transport().auth_none(username)

现在就SSH而言，应该经过认证。同样， ssh 认为它已经过身份验证，甚至在您没有任何提示输入凭据之前：

Now you should be "authenticated", as far as SSH is concerned. The same way, ssh believes it's authenticated, even before you get any prompt for credentials:

debug1: Authentication succeeded (none).

Authenticated to 10.39.31.11 ([10.39.31.11]:22).

...

User Name:wrong_credentils_don't_effect_the_logs
Password:***

User Name:cisco
Password:************

---

然后，如果您尝试使用 SSHClient.invoke_shell（） （如果您尝试使用 SSHClient.exec_command（）执行命令，也可能-尽管我假设服务器将不支持此接口），但服务器将使用I / O提示您输入用户名和密码。

---

Then, if you attempt to open "shell" using SSHClient.invoke_shell() (and maybe also if you attempt to execute a command using SSHClient.exec_command() - though I would assume that the server won't support this interface), the server will prompt you for a username and a password using I/O.

尝试以这种方式提供凭据：

Try to provide the credentials this way:

channel = ssh.invoke_shell()
channel.send(username + "\n")
channel.send(password + "\n")

（您可能需要等待提示，然后才能提供凭据[类似于预期的]，如果服务器不接受，则立即提供）。

(you may need to wait for prompts before feeding credentials [expect-like], if the server won't accept them, when provided immediately).

强制性警告：除非您不关心安全性，否则请不要使用 AutoAddPolicy 。您正在以这种方式失去针对MITM攻击的保护。

有关正确的解决方案，请参见 Paramiko Unknown服务器 。

Obligatory warning: Do not use AutoAddPolicy, unless you do not care about security. You are losing a protection against MITM attacks this way.
For a correct solution, see Paramiko "Unknown Server".

这篇关于Paramiko-错误的身份验证类型[Cisco SG-300交换机]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！