SSHClient Fails to use password authentication when local keychain exists #391
Description
When I use SSHClient to connect to a remote host with password authentication, it fails when I have a local key-file (unrelated) on the client machine. A paramiko.ssh_exception.AuthenticationException is thrown, instead of continuing to ssh password authentication.
Workaround: Use option look_for_keys=False
This workaround is only possible if you control the SSHClient object yourself, not if you use a lib built on paramiko.
Environment
File /home/<user>/.ssh/id_rsa exists (but not relevant to remote host)
Code to reproduce:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("remotehost", username="myuser",password="mypassword")
Trace
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 273, in connect
self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 456, in _auth
raise saved_exception
File "/usr/local/lib/python3.4/dist-packages/paramiko/client.py", line 447, in _auth
self._transport.auth_password(username, password)
File "/usr/local/lib/python3.4/dist-packages/paramiko/transport.py", line 1057, in auth_password
return self.auth_handler.wait_for_response(my_event)
File "/usr/local/lib/python3.4/dist-packages/paramiko/auth_handler.py", line 165, in wait_for_response
raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.
Excerpt from "DEBUG-level log"
DEBUG:paramiko.transport:Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-dss; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Trying discovered key b'<removed>' in /home/<removed>/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
INFO:paramiko.transport:Disconnect (code 2): unexpected SSH_MSG_SERVICE_REQUEST
The last two lines are not logged and the exception is not thrown when connection is made with the work around:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("remotehost", username="myuser",password="mypassword", look_for_keys=False)
DEBUG:paramiko.transport:starting thread (client mode): 0x64d76048
INFO:paramiko.transport:Connected (version 2.0, client 1.37c)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-dss'] client encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-cbc', 'arcfour', 'cast128-cbc'] server encrypt:['aes256-cbc', 'twofish256-cbc', 'twofish-cbc', 'aes128-cbc', 'twofish128-cbc', 'blowfish-cbc', '3des-cbc', 'arcfour', 'cast128-cbc'] client mac:['hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib'] server compress:['none', 'zlib'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Ciphers agreed: local=aes128-cbc, remote=aes128-cbc
DEBUG:paramiko.transport:using kex diffie-hellman-group1-sha1; server key type ssh-dss; cipher: local aes128-cbc, remote aes128-cbc; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!