Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password authentication failure on OpenSSH 8.2 servers #298

Open
AlgoQ opened this issue May 24, 2021 · 10 comments
Open

Password authentication failure on OpenSSH 8.2 servers #298

AlgoQ opened this issue May 24, 2021 · 10 comments

Comments

@AlgoQ
Copy link

AlgoQ commented May 24, 2021

I'm trying to run a single command on multiple servers, my server provider is vultr. But I get a AuthenticationException.

Code:

from pssh.clients import ParallelSSHClient

hosts = []
pw = 'xxx'

client = ParallelSSHClient(hosts, user='root', password=pw)

output = client.run_command('python -V')

for host_out in output:
    for line in host_out.stdout:
        print(line)
    exit_code = host_out.exit_code

Error:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 208, in _auth_retry
    self.auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 355, in auth
    self._password_auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/native/single.py", line 229, in _password_auth
    self.session.userauth_password(self.user, self.password)
  File "ssh2/session.pyx", line 321, in ssh2.session.Session.userauth_password
  File "ssh2/utils.pyx", line 166, in ssh2.utils.handle_error_codes
ssh2.exceptions.AuthenticationError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 208, in _auth_retry
    self.auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 355, in auth
    self._password_auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/native/single.py", line 229, in _password_auth
    self.session.userauth_password(self.user, self.password)
  File "ssh2/session.pyx", line 321, in ssh2.session.Session.userauth_password
  File "ssh2/utils.pyx", line 166, in ssh2.utils.handle_error_codes
ssh2.exceptions.AuthenticationError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 208, in _auth_retry
    self.auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 355, in auth
    self._password_auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/native/single.py", line 229, in _password_auth
    self.session.userauth_password(self.user, self.password)
  File "ssh2/session.pyx", line 321, in ssh2.session.Session.userauth_password
  File "ssh2/utils.pyx", line 166, in ssh2.utils.handle_error_codes
ssh2.exceptions.AuthenticationError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/run/media/kobej/D/trabro2/test/testParallelSsh.py", line 19, in <module>
    output = client.run_command('python -V')
  File "/usr/lib/python3.9/site-packages/pssh/clients/native/parallel.py", line 213, in run_command
    return BaseParallelSSHClient.run_command(
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 197, in run_command
    return self._get_output_from_cmds(cmds, raise_error=stop_on_errors,
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 204, in _get_output_from_cmds
    finished = joinall(_cmds, raise_error=True)
  File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
  File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
  File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
  File "/usr/lib/python3.9/site-packages/gevent/_compat.py", line 65, in reraise
    raise value.with_traceback(tb)
  File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 216, in _get_output_from_greenlet
    raise ex
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 209, in _get_output_from_greenlet
    host_out = cmd.get()
  File "src/gevent/greenlet.py", line 803, in gevent._gevent_cgreenlet.Greenlet.get
  File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
  File "/usr/lib/python3.9/site-packages/gevent/_compat.py", line 65, in reraise
    raise value.with_traceback(tb)
  File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 285, in _run_command
    raise ex
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 277, in _run_command
    _client = self._make_ssh_client(host_i, host)
  File "/usr/lib/python3.9/site-packages/pssh/clients/native/parallel.py", line 239, in _make_ssh_client
    _client = SSHClient(
  File "/usr/lib/python3.9/site-packages/pssh/clients/native/single.py", line 123, in __init__
    super(SSHClient, self).__init__(
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 195, in __init__
    self._init()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 200, in _init
    self._auth_retry()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 212, in _auth_retry
    return self._auth_retry(retries=retries+1)
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 212, in _auth_retry
    return self._auth_retry(retries=retries+1)
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 214, in _auth_retry
    raise AuthenticationError(msg, self.host, self.port, ex)
pssh.exceptions.AuthenticationError: ('Authentication error while connecting to %s:%s - %s', '198.13.47.107', 22, AuthenticationError())

System:

  • Linux (Manjaro KDE)
  • Python 3.9
  • parallel-ssh version 2.5.4
@pkittenis
Copy link
Member

Hi there,

Thanks for the interest. Best to check authentication works with regular ssh first, then try using the library with the same authentication method. Typically root logins are not allowed.

Not seeing an issue with library, closing.

@AlgoQ
Copy link
Author

AlgoQ commented May 24, 2021

Yeah I'm able to connect to the servers with regular ssh. But yeah I'm using the root account, isn't there a workaround to login with a root?

@pkittenis
Copy link
Member

Login works with root using the ssh binary? Can you show ssh -v root@<..> output? And output of ssh -V from the server.

If that does work, can try the client from pssh.client.ssh import ParallelSSHClient as an alternative. Not aware of any issues with password auth, assuming server config allows it. Server configuration is out of scope for the library, see man sshd_config.

@AlgoQ
Copy link
Author

AlgoQ commented May 24, 2021

Output of ssh -v root@<...>:

C:\Users\kobej>ssh -v [email protected]
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to 198.13.47.107 [198.13.47.107] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\kobej/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 198.13.47.107:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kiNxa9VW6mnO0Mxgol8uCsu400u18UR164WZhCeK26c
debug1: Host '198.13.47.107' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\kobej/.ssh/known_hosts:5
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_xmss
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
[email protected]'s password:
debug1: Authentication succeeded (password).
Authenticated to 198.13.47.107 ([198.13.47.107]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug1: client_input_global_request: rtype [email protected] want_reply 0

Output of ssh -V from the server:

OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020

@AlgoQ
Copy link
Author

AlgoQ commented May 24, 2021

If that does work, can try the client from pssh.client.ssh import ParallelSSHClient as an alternative. Not aware of any issues with password auth, assuming server config allows it. Server configuration is out of scope for the library, see man sshd_config.

When trying this I get this error (my password is correct though)

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 208, in _auth_retry
    self.auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 168, in auth
    return super(SSHClient, self).auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 355, in auth
    self._password_auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 171, in _password_auth
    self.session.userauth_password(self.user, self.password)
  File "ssh/session.pyx", line 463, in ssh.session.Session.userauth_password
  File "ssh/utils.pyx", line 109, in ssh.utils.handle_auth_error_codes
ssh.exceptions.AuthenticationDenied: b"Access denied for 'password'. Authentication that can continue: publickey,password"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 208, in _auth_retry
    self.auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 168, in auth
    return super(SSHClient, self).auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 355, in auth
    self._password_auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 171, in _password_auth
    self.session.userauth_password(self.user, self.password)
  File "ssh/session.pyx", line 463, in ssh.session.Session.userauth_password
  File "ssh/utils.pyx", line 109, in ssh.utils.handle_auth_error_codes
ssh.exceptions.AuthenticationDenied: b"Access denied for 'password'. Authentication that can continue: publickey,password"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 208, in _auth_retry
    self.auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 168, in auth
    return super(SSHClient, self).auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 355, in auth
    self._password_auth()
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 171, in _password_auth
    self.session.userauth_password(self.user, self.password)
  File "ssh/session.pyx", line 463, in ssh.session.Session.userauth_password
  File "ssh/utils.pyx", line 109, in ssh.utils.handle_auth_error_codes
ssh.exceptions.AuthenticationDenied: b"Access denied for 'password'. Authentication that can continue: publickey,password"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/run/media/kobej/D/trabro2/test/testParallelSsh.py", line 21, in <module>
    output = client.run_command('python -V')
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/parallel.py", line 224, in run_command
    return BaseParallelSSHClient.run_command(
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 197, in run_command
    return self._get_output_from_cmds(cmds, raise_error=stop_on_errors,
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 204, in _get_output_from_cmds
    finished = joinall(_cmds, raise_error=True)
  File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
  File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
  File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
  File "/usr/lib/python3.9/site-packages/gevent/_compat.py", line 65, in reraise
    raise value.with_traceback(tb)
  File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 216, in _get_output_from_greenlet
    raise ex
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 209, in _get_output_from_greenlet
    host_out = cmd.get()
  File "src/gevent/greenlet.py", line 803, in gevent._gevent_cgreenlet.Greenlet.get
  File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
  File "/usr/lib/python3.9/site-packages/gevent/_compat.py", line 65, in reraise
    raise value.with_traceback(tb)
  File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 285, in _run_command
    raise ex
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/parallel.py", line 277, in _run_command
    _client = self._make_ssh_client(host_i, host)
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/parallel.py", line 239, in _make_ssh_client
    _client = SSHClient(
  File "/usr/lib/python3.9/site-packages/pssh/clients/ssh/single.py", line 109, in __init__
    super(SSHClient, self).__init__(
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 195, in __init__
    self._init()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 200, in _init
    self._auth_retry()
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 212, in _auth_retry
    return self._auth_retry(retries=retries+1)
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 212, in _auth_retry
    return self._auth_retry(retries=retries+1)
  File "/usr/lib/python3.9/site-packages/pssh/clients/base/single.py", line 214, in _auth_retry
    raise AuthenticationError(msg, self.host, self.port, ex)
pssh.exceptions.AuthenticationError: ('Authentication error while connecting to %s:%s - %s', '198.13.47.107', 22, AuthenticationDenied(b"Access denied for 'password'. Authentication that can continue: publickey,password"))

@pkittenis pkittenis reopened this May 25, 2021
@pkittenis pkittenis changed the title AuthenticationException when trying to run single command on multiple servers Password authentication failure on OpenSSH 8.2 servers May 25, 2021
@nurgasemetey
Copy link

Output of ssh -v root@<...>:

C:\Users\kobej>ssh -v [email protected]
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to 198.13.47.107 [198.13.47.107] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\kobej/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\kobej/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 198.13.47.107:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kiNxa9VW6mnO0Mxgol8uCsu400u18UR164WZhCeK26c
debug1: Host '198.13.47.107' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\kobej/.ssh/known_hosts:5
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\kobej/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\kobej/.ssh/id_xmss
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
[email protected]'s password:
debug1: Authentication succeeded (password).
Authenticated to 198.13.47.107 ([198.13.47.107]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug1: client_input_global_request: rtype [email protected] want_reply 0

Output of ssh -V from the server:

OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020

By the way, you can hide ip. It seems reachable.

@AlgoQ
Copy link
Author

AlgoQ commented May 29, 2021

Do you think this issue is related to that this account is a root user? Would it be solved if I create normal users to connect to? Or is this an OpenSSH 8.2 bug/issue?

@pkittenis
Copy link
Member

Possibly. Try with normal user and see if it connects.

I suspect it's a preferred key exchange algorithm method that has changed in 8.2 - will need to try and reproduce with that server.

@Keij0
Copy link

Keij0 commented Oct 3, 2022

I think I also bumped into that issue when using key-based authentication. I wanted to report this, but I didn't know how really. Do you want my logs too?

@pkittenis
Copy link
Member

Hi @Keij0 ,

If you can provide details on how to reproduce that would be very helpful. Have not been able to reproduce as yet. Worth checking with latest version of this library and with both clients.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants