Python-pysftp/paramiko-使用指纹验证主机密钥 [英] Python - pysftp / paramiko - Verify host key using its fingerprint

问题描述

此代码引发异常.如何在不将SSH指纹存储在文件中的情况下进行验证?我相信以下代码是为公共密钥设计的.但是带有SFTP服务器的客户端验证了指纹，但没有获得我的公钥.

This code throws an exception. How can I verify an SSH fingerprint without storing it in a file? I believe the code below is designed for a public key. But the client with the SFTP server validated the fingerprint and did not get me the public key.

import os
import shutil

import pysftp
import paramiko

connection_info = {
    'server': "example.com",
    'user': "user",
    'passwd': "password",
    'target_dir': "out/prod",
    'hostkey': "ssh-rsa 2048 d8:4e:f1:f1:f1:f1:f1:f1:21:31:41:14:13:12:11:aa",
}

def move_files_from_server_to_local(server, localpath):
    target_dir = server['target_dir']
    keydata = "d8:4e:f1:f1:f1:f1:f1:f1:21:31:41:14:13:12:11:aa"
    key = paramiko.RSAKey(data=decodebytes(keydata))
    options = pysftp.CnOpts()
    options.hostkeys.add('example.com', 'ssh-rsa', key)
    with pysftp.Connection(
                    server['server'],
                    username=server['user'],
                    password=server['passwd'],
                    cnopts=options) as conn:
        conn.get_d(target_dir, localpath)
        delete_files_from_dir(conn, target_dir)

move_files_from_server_to_local(connection_info, "/")

代码基于使用pysftp验证主机密钥.

推荐答案

根据您的需要，可以使用以下两种方法之一:

Depending on your needs you can use either of these two methods:

使用 ssh-keyscan (或类似名称)来检索主机公钥:

ssh-keyscan example.com > tmp.pub

tmp.pub看起来像(known_hosts文件格式):

The tmp.pub will look like (known_hosts file format):

example.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0hVqZOvZ7yWgie9OHdTORJVI5fJJoH1yEGamAd5G3werH0z7e9ybtq1mGUeRkJtea7bzru0ISR0EZ9HIONoGYrDmI7S+BiwpDBUKjva4mAsvzzvsy6Ogy/apkxm6Kbcml8u4wjxaOw3NKzKqeBvR3pc+nQVA+SJUZq8D2XBRd4EDUFXeLzwqwen9G7gSLGB1hJkSuRtGRfOHbLUuCKNR8RV82i3JvlSnAwb3MwN0m3WGdlJA8J+5YAg4e6JgSKrsCObZK7W1R6iuyuH1zA+dtAHyDyYVHB4FnYZPL0hgz2PSb9c+iDEiFcT/lT4/dQ+kRW6DYn66lS8peS8zCJ9CSQ==

现在，您可以使用 ssh-keygen :

Now, you can calculate a fingerprint of that public key with ssh-keygen:

ssh-keygen -l -f tmp.pub -E md5

(仅将-E md5与支持多种指纹算法且默认为SHA256的OpenSSH的较新版本一起使用)

(use the -E md5 only with newer versions of OpenSSH that support multiple fingerprint algorithms and default to SHA256)

您将得到类似的东西:

2048 MD5:c4:26:18:cf:a0:15:9a:5f:f3:bf:96:d8:3b:19:ef:7b example.com (RSA)

如果指纹与您拥有的指纹匹配，则现在可以安全地假定tmp.pub是合法的公钥，并在代码中使用它:

If the fingerprint matches with the one you have, you can now safely assume that the tmp.pub is a legitimate public key and use it in the code:

from base64 import decodebytes
# ...

keydata = b"""AAAAB3NzaC1yc2EAAAABIwAAAQEA0hV..."""
key = paramiko.RSAKey(data=decodebytes(keydata))
cnopts = pysftp.CnOpts()
cnopts.hostkeys.add('example.com', 'ssh-rsa', key)

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

(基于使用pysftp验证主机密钥)

例如因为指纹来自外部配置.

E.g. because the fingerprint comes from an external configuration.

我不确定pysftp的有限API是否允许这样做.您可能必须跳过pysftp并直接使用 Paramiko库(pysftp在内部使用Paramiko).

I'm not sure if a limited API of pysftp allows that. You probably would have to skip pysftp and use Paramiko library directly (pysftp uses Paramiko internally).

使用Paramiko，您可以巧妙地实现 界面.

With Paramiko, you can cleverly implement MissingHostKeyPolicy interface.

从 AutoAddPolicy 已实现:

Start with how AutoAddPolicy is implemented:

class AutoAddPolicy (MissingHostKeyPolicy):
    """
    Policy for automatically adding the hostname and new host key to the
    local `.HostKeys` object, and saving it.  This is used by `.SSHClient`.
    """

    def missing_host_key(self, client, hostname, key):
        client._host_keys.add(hostname, key.get_name(), key)
        if client._host_keys_filename is not None:
            client.save_host_keys(client._host_keys_filename)
        client._log(DEBUG, 'Adding %s host key for %s: %s' %
                    (key.get_name(), hostname, hexlify(key.get_fingerprint())))

请注意，在代码中，hexlify(key.get_fingerprint())中有可用的指纹.只需将该值与您拥有的指纹进行比较即可.如果匹配，请返回.否则会引发异常， 就像 RejectPolicy 一样.

Note that in the code you have the fingerprint available in hexlify(key.get_fingerprint()). Just compare that value against the fingerprint you have. If it matches, just return. Otherwise raise an exception, like the RejectPolicy does.

另一种解决方案(甚至可以与pysftp一起使用)是实现 __cmp__方法仅比较指纹.然后可以将PKey的此类实例添加到cnopts.hostkeys.add.

Another solution (which would work even with pysftp) is to implement PKey in a way that it holds only the fingerprint. And implement its __cmp__ method to compare the fingerprint only. Such an instance of PKey can then be added to cnopts.hostkeys.add.

OP在他的答案中发布了此方法的实现.据说对于Python 3，需要更复杂的实现，如仅使用服务器指纹使用pysftp和Python 3连接到SFTP服务器.

OP posted an implementation of this approach in his answer. Allegedly for Python 3, more complex implementation is needed, as seen in Connecting to an SFTP server using pysftp and Python 3 with just the server fingerprint.

这篇关于Python-pysftp/paramiko-使用指纹验证主机密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！