使用pysftp验证主机密钥 [英] Verify host key with pysftp

问题描述

我正在使用pysftp编写程序，它想针对C:\Users\JohnCalvin\.ssh\known_hosts验证SSH主机密钥.

I am writing a program using pysftp, and it wants to verify the SSH host Key against C:\Users\JohnCalvin\.ssh\known_hosts.

使用PuTTY，终端程序将其保存到注册表[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys].

Using PuTTY, the terminal program is saving it to the Registry [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys].

如何调和pysftp和PuTTY之间的区别?

How do I reconcile the difference between pysftp and PuTTY?

我的代码是:

import pysftp as sftp

def push_file_to_server():
    s = sftp.Connection(host='138.99.99.129', username='root', password='*********')
    local_path = "testme.txt"
    remote_path = "/home/testme.txt"

    s.put(local_path, remote_path)
    s.close()

push_file_to_server()

我收到的错误响应是:

E:\ Program Files(x86)\ Anaconda3 \ lib \ site-packages \ pysftp__init __.py:61:用户警告:
无法从C:\ Users \ JohnCalvin.ssh \ known_hosts加载HostKeys.
您将需要显式加载HostKeys (cnopts.hostkeys.load(filename))或disableHostKey检查 (cnopts.hostkeys =无). warnings.warn(wmsg，UserWarning)追溯 (最近通话最近):文件 "E:\ OneDrive \ Python \ GIT \ DigitalCloud \ pysftp_tutorial.py"，第14行，在 push_file_to_server()文件"E:\ OneDrive \ Python \ GIT \ DigitalCloud \ pysftp_tutorial.py"，第7行，在 push_file_to_server s = sftp.Connection(主机='138.99.99.129'，用户名='root'，密码='********')文件"E:\ Program Files (x86)\ Anaconda3 \ lib \ site-packages \ pysftp__init __.py，第132行，在 初始化 self._tconnect ['hostkey'] = self._cnopts.get_hostkey(host)文件"E:\ Program Files (x86)\ Anaconda3 \ lib \ site-packages \ pysftp__init __.py，第71行，在 get_hostkey 引发SSHException(找不到主机％s的主机密钥."％host)paramiko.ssh_exception.SSHException:主机138.99.99.129的主机密钥 成立.在以下情况中忽略了异常:>追溯(大多数 最近一次通话):文件"E:\ Program Files (x86)\ Anaconda3 \ lib \ site-packages \ pysftp__init __.py，第1013行，在 del self.close()文件"E:\ Program Files(x86)\ Anaconda3 \ lib \ site-packages \ pysftp__init __.py"，行784，在 关闭 如果self._sftp_live:AttributeError:连接"对象没有属性"_sftp_live"

E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp__init__.py:61: UserWarning:
Failed to load HostKeys from C:\Users\JohnCalvin.ssh\known_hosts.
You will need to explicitly load HostKeys (cnopts.hostkeys.load(filename)) or disableHostKey checking (cnopts.hostkeys = None). warnings.warn(wmsg, UserWarning) Traceback (most recent call last): File "E:\OneDrive\Python\GIT\DigitalCloud\pysftp_tutorial.py", line 14, in push_file_to_server() File "E:\OneDrive\Python\GIT\DigitalCloud\pysftp_tutorial.py", line 7, in push_file_to_server s = sftp.Connection(host='138.99.99.129', username='root', password='********') File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp__init__.py", line 132, in init self._tconnect['hostkey'] = self._cnopts.get_hostkey(host) File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp__init__.py", line 71, in get_hostkey raise SSHException("No hostkey for host %s found." % host) paramiko.ssh_exception.SSHException: No hostkey for host 138.99.99.129 found. Exception ignored in: > Traceback (most recent call last): File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp__init__.py", line 1013, in del self.close() File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp__init__.py", line 784, in close if self._sftp_live: AttributeError: 'Connection' object has no attribute '_sftp_live'

推荐答案

请勿设置cnopts.hostkeys = None (如第二个最受好评的答案所示)，除非您不关心安全性.您失去了针对中间人攻击的保护这样做.

使用CnOpts.hostkeys(返回 HostKeys )管理受信任的主机密钥.

Use CnOpts.hostkeys (returns HostKeys) to manage trusted host keys.

cnopts = pysftp.CnOpts(knownhosts='known_hosts')

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

，其中known_hosts包含服务器公钥，格式如下:

where the known_hosts contains a server public key[s] in a format like:

example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

---

如果您不想使用外部文件，也可以使用

---

If you do not want to use an external file, you can also use

from base64 import decodebytes
# ...

keydata = b"""AAAAB3NzaC1yc2EAAAADAQAB..."""
key = paramiko.RSAKey(data=decodebytes(keydata))
cnopts = pysftp.CnOpts()
cnopts.hostkeys.add('example.com', 'ssh-rsa', key)

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

尽管从pysftp 0.2.9开始，此方法将发出警告，似乎是一个错误:
无法加载主机密钥"使用pysftp连接到SFTP服务器时发出警告

Though as of pysftp 0.2.9, this approach will issue a warning, what seems like a bug:
"Failed to load HostKeys" warning while connecting to SFTP server with pysftp

以这种格式检索主机密钥的一种简单方法是使用OpenSSH ssh-keyscan :

An easy way to retrieve the host key in this format is using OpenSSH ssh-keyscan:

$ ssh-keyscan example.com
# example.com SSH-2.0-OpenSSH_5.3
example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

您还可以使应用程序自动执行以下操作:
将Paramiko AutoAddPolicy与pysftp一起使用
(它将自动将新主机的主机密钥添加到known_hosts，但是对于已知的主机密钥，它将不接受更改的密钥)

You can also make the application do the same automatically:
Use Paramiko AutoAddPolicy with pysftp
(It will automatically add host keys of new hosts to known_hosts, but for known host keys, it will not accept a changed key)

尽管出于绝对的安全性考虑，但是如果您尚未受到攻击，则不能确保无法远程获取主机密钥.

Though for an absolute security, you should not retrieve the host key remotely, as you cannot be sure, if you are not being attacked already.

请参阅我的文章在哪里可以获取用于授权服务器的SSH主机密钥指纹?
用于我的WinSCP SFTP客户端，但是那里的大多数信息通常都是有效的.

See my article Where do I get SSH host key fingerprint to authorize the server?
It's for my WinSCP SFTP client, but most information there is valid in general.

如果仅需要使用指纹来验证主机密钥，请参见 Python-pysftp/paramiko-使用指纹来验证主机密钥.

If you need to verify the host key using its fingerprint only, see Python - pysftp / paramiko - Verify host key using its fingerprint.

这篇关于使用pysftp验证主机密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！