Python Paramiko 中的密码身份验证失败，但相同的凭据在 SSH/SFTP 客户端中有效 [英] Password authentication in Python Paramiko fails, but same credentials work in SSH/SFTP client

问题描述

我在尝试使用 Paramiko (Python) 创建 SFTP 客户端时遇到了困难.

I'm having a hard time trying to create an SFTP client using Paramiko (Python).

代码:

 import paramiko as sftp

 transport = sftp.Transport(('myhost', port), 
    default_max_packet_size=10000, default_window_size=10000)
 transport.connect(username='myuser', password='mypassword')
 client_from_transport = sftp.SFTPClient.from_transport(transport)

错误:

Traceback (most recent call last):
    File "sftp.py", line 91, in <module>
    sftp_client = create_sftp_client()
    File "...sftp.py", line 63, in create_sftp_client
    client_from_transport = sftp.SFTPClient.from_transport(transport)
    File "...PythonPython37Libsite-packagesparamikosftp_client.py", 
    line 165, in from_transport
    window_size=window_size, max_packet_size=max_packet_size
    File "...PythonPython37Libsite-packagesparamiko	ransport.py", line 
    806, in open_session
    timeout=timeout,
    File "...PythonPython37Libsite-packagesparamiko	ransport.py", line 
    933, in open_channel
    raise e
    File "...PythonPython37Libsite-packagesparamiko	ransport.py", line 
    1982, in run
    ptype, m = self.packetizer.read_message()
    File "...PythonPython37Libsite-packagesparamikopacket.py", line 
    441, in read_message
    header = self.read_all(self.__block_size_in, check_rekey=True)
    File "...PythonPython37Libsite-packagesparamikopacket.py", line 
    290, in read_all
    raise EOFError()
    EOFError

打印传输对象显示:

<paramiko.Transport at 0x68d0c1d0 (cipher aes128-ctr, 128 bits) (connected; awaiting auth)>

Paramiko 日志文件:

Paramiko log file:

DEB [20190403-12:31:01.550] thr=1   paramiko.transport: starting thread (client mode): 0xfbc42780
DEB [20190403-12:31:01.550] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20190403-12:31:01.567] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-Server
INF [20190403-12:31:01.567] thr=1   paramiko.transport: Connected (version 2.0, client Server)
DEB [20190403-12:31:01.571] thr=1   paramiko.transport: kex algos:['ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group18-sha512', 'diffie-hellman-group17-sha512', 'diffie-hellman-group16-sha512', 'diffie-hellman-group15-sha512', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'aes192-cbc', 'aes256-cbc'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'aes192-cbc', 'aes256-cbc'] client mac:['hmac-md5', 'hmac-sha1', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib', 'zlib@openssh.com'] server compress:['none', 'zlib', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEB [20190403-12:31:01.572] thr=1   paramiko.transport: Kex agreed: ecdh-sha2-nistp256
DEB [20190403-12:31:01.572] thr=1   paramiko.transport: HostKey agreed: ssh-rsa
DEB [20190403-12:31:01.572] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20190403-12:31:01.572] thr=1   paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20190403-12:31:01.572] thr=1   paramiko.transport: Compression agreed: none
DEB [20190403-12:31:01.654] thr=1   paramiko.transport: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
DEB [20190403-12:31:01.669] thr=1   paramiko.transport: Switch to new keys ...
DEB [20190403-12:31:01.670] thr=2   paramiko.transport: Attempting password auth...
DEB [20190403-12:31:01.689] thr=1   paramiko.transport: userauth is OK
INF [20190403-12:31:02.010] thr=1   paramiko.transport: Authentication continues...
DEB [20190403-12:31:02.010] thr=1   paramiko.transport: Methods: ['keyboard-interactive']
DEB [20190403-12:31:02.010] thr=2   paramiko.transport: [chan 0] Max packet in: 10000 bytes
DEB [20190403-12:31:02.026] thr=1   paramiko.transport: EOF in transport thread

但 SFTP 在 FileZilla 中有效:

But SFTP works in FileZilla:

2019-04-03 13:02:36 13796 1 Status: Connecting to xxxxxx...
2019-04-03 13:02:36 13796 1 Trace: CControlSocket::SendNextCommand()
2019-04-03 13:02:36 13796 1 Trace: CSftpDeleteOpData::Send() in state 0
2019-04-03 13:02:36 13796 1 Trace: Going to execute C:Program FilesFileZilla FTP Clientfzsftp.exe
2019-04-03 13:02:36 13796 1 Response: fzSftp started, protocol_version=8
2019-04-03 13:02:36 13796 1 Trace: CSftpDeleteOpData::ParseResponse() in state 0
2019-04-03 13:02:36 13796 1 Trace: CControlSocket::SendNextCommand()
2019-04-03 13:02:36 13796 1 Trace: CSftpDeleteOpData::Send() in state 3
2019-04-03 13:02:36 13796 1 Command: open "user" 2222
2019-04-03 13:02:36 13796 1 Trace: Connecting to ip port 2222
2019-04-03 13:02:36 13796 1 Trace: We claim version: SSH-2.0-FileZilla_3.41.2
2019-04-03 13:02:36 13796 1 Trace: Server version: SSH-2.0-Server
2019-04-03 13:02:36 13796 1 Trace: Using SSH protocol version 2
2019-04-03 13:02:36 13796 1 Trace: Doing ECDH key exchange with curve nistp256 and hash SHA-256
2019-04-03 13:02:36 13796 1 Trace: Host key fingerprint is:
2019-04-03 13:02:36 13796 1 Trace: ssh-rsa 1024 xxxx=
2019-04-03 13:02:36 13796 1 Trace: Initialised AES-256 SDCTR client->server encryption
2019-04-03 13:02:36 13796 1 Trace: Initialised HMAC-SHA-256 client->server MAC algorithm
2019-04-03 13:02:36 13796 1 Trace: Initialised AES-256 SDCTR server->client encryption
2019-04-03 13:02:36 13796 1 Trace: Initialised HMAC-SHA-256 server->client MAC algorithm
2019-04-03 13:02:36 13796 1 Trace: Attempting keyboard-interactive authentication
2019-04-03 13:02:36 13796 1 Trace: Using keyboard-interactive authentication. inst_len: 0, num_prompts: 1
2019-04-03 13:02:36 13796 1 Command: Pass: ********
2019-04-03 13:02:36 13796 1 Trace: Access granted
2019-04-03 13:02:36 13796 1 Trace: Opening session as main channel
2019-04-03 13:02:37 13796 1 Trace: Opened main channel
2019-04-03 13:02:37 13796 1 Trace: Started a shell/command
2019-04-03 13:02:37 13796 1 Status: Connected to xxxx

我在尝试使用 sftp_client = SSHClient() 而不是通过 Transport 对象创建 SFTP 客户端时遇到了同样的错误.还尝试在创建传输对象时添加 timeout=timeout，但没有帮助.

I got the same error when trying to create an SFTP client using sftp_client = SSHClient() instead of going through a Transport object. Also tried adding timeout=timeout when creating my transport object, did not help.

对此有什么想法吗?

推荐答案

您的服务器正在使用键盘交互身份验证，而不是简单的密码身份验证.

Your server is using a keyboard-interactive authentication, not a simple password authentication.

通常情况下，当密码验证失败并且键盘交互提示只有一个字段(可能是密码)时，Paramiko 足够聪明，可以回退到键盘交互验证.

Normally Paramiko is smart enough to fallback to the keyboard-interactive authentication, when the password authentication fails and the keyboard-interactive prompt has one field only (likely a password).

问题在于您的服务器表现得好像密码认证成功一样.

The problem is that your server behaves, as if the password authentication succeeded.

您可以使用以下代码明确让 Paramiko 尝试键盘交互身份验证:

You can explicitly make Paramiko try the keyboard-interactive authentication using this code:

def handler(title, instructions, fields):
    if len(fields) > 1:
        raise SSHException("Expecting one field only.")
    return [password]

transport = paramiko.Transport('example.com') 
transport.connect(username='myuser')
transport.auth_interactive(username, handler)

这篇关于Python Paramiko 中的密码身份验证失败，但相同的凭据在 SSH/SFTP 客户端中有效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！