key-based authentication doesn't work with Paramiko >= 2.8.0

[PapaPaule]

I cannot get the keyword "Login with Public Key" working with Paramiko >= 2.8.0. If switching back to Paramiko==2.7.1 it works perfectly.

[URunDEAD]

Hello! Unfortunately, I was unable to replicate the proposed issue. As you can see in the photo (see attached photo below), by using Paramiko 2.9.2, I was able to authenticate with the identity file.

Please let me know if you found any problems in my attempt to replicate the issue or if I misunderstood the problem.
Thank you kindly for your involvement.

[StephenGentle]

Hi,

I think I'm having the same problem. I came back to some old code I was using last year, I'm sure that I used to be able to log in with the Login command, password set to None and the 'look_for_keys' option set to true. This is failing with the following information:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/pythonclient.py", line 183, in _login
    self.client.connect(self.config.host, self.config.port, username,
  File "/usr/local/lib/python3.8/dist-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/usr/local/lib/python3.8/dist-packages/paramiko/client.py", line 766, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.8/dist-packages/paramiko/client.py", line 753, in _auth
    self._transport.auth_password(username, password)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/transport.py", line 1563, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 258, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/pythonclient.py", line 197, in _login
    transport.auth_password(username, password)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/transport.py", line 1563, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 258, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/abstractclient.py", line 208, in login
    self._login(username, password, allow_agent, look_for_keys, proxy_cmd, read_config,
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/pythonclient.py", line 199, in _login
    raise SSHClientException
SSHLibrary.abstractclient.SSHClientException

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/library.py", line 1087, in _login
    login_output = login_method(username, *args)
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/abstractclient.py", line 212, in login
    raise SSHClientException("Authentication failed for user '%s'."
SSHLibrary.abstractclient.SSHClientException: Authentication failed for user 'root'.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/library.py", line 1007, in login
    return self._login(self.current.login, username, password, is_truthy(allow_agent),
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/library.py", line 1093, in _login
    raise RuntimeError(e)
RuntimeError: Authentication failed for user 'root'.

The Login With Public Key keyword and manually specifying the key also fails, giving this:

Unknown exception: 'NoneType' object has no attribute 'public_blob'
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/paramiko/transport.py", line 2163, in run
    handler(self.auth_handler, m)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 365, in _parse_service_accept
    key_type, bits = self._get_key_type_and_bits(self.private_key)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 216, in _get_key_type_and_bits
    if key.public_blob:
AttributeError: 'NoneType' object has no attribute 'public_blob'

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/pythonclient.py", line 229, in _login_with_public_key
    self.client.connect(self.config.host, self.config.port, username,
  File "/usr/local/lib/python3.8/dist-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/usr/local/lib/python3.8/dist-packages/paramiko/client.py", line 766, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.8/dist-packages/paramiko/client.py", line 753, in _auth
    self._transport.auth_password(username, password)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/transport.py", line 1563, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 258, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/pythonclient.py", line 245, in _login_with_public_key
    transport.auth_publickey(username,None)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/transport.py", line 1634, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 244, in wait_for_response
    raise e
  File "/usr/local/lib/python3.8/dist-packages/paramiko/transport.py", line 2163, in run
    handler(self.auth_handler, m)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 365, in _parse_service_accept
    key_type, bits = self._get_key_type_and_bits(self.private_key)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/auth_handler.py", line 216, in _get_key_type_and_bits
    if key.public_blob:
AttributeError: 'NoneType' object has no attribute 'public_blob'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/abstractclient.py", line 284, in login_with_public_key
    self._login_with_public_key(username, keyfile, password,
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/pythonclient.py", line 247, in _login_with_public_key
    raise SSHClientException
SSHLibrary.abstractclient.SSHClientException

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/library.py", line 1087, in _login
    login_output = login_method(username, *args)
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/abstractclient.py", line 290, in login_with_public_key
    raise SSHClientException("Login with public key failed for user "
SSHLibrary.abstractclient.SSHClientException: Login with public key failed for user 'root'.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/library.py", line 1077, in login_with_public_key
    return self._login(self.current.login_with_public_key, username,
  File "/usr/local/lib/python3.8/dist-packages/SSHLibrary/library.py", line 1093, in _login
    raise RuntimeError(e)
RuntimeError: Login with public key failed for user 'root'. 

[StephenGentle]

Going by what @PapaPaule said, I tried going back to Paramiko 2.7.1 and it works perfectly with that version.

[terokinnunen]

One possible cause for keys not working with 2.9.0+ while working with 2.7.1 is change to support server-sig-algs. https://www.paramiko.org/changelog.html for 2.9.0:

This change is slightly backwards incompatible, insofar as action is required if your target systems do not support either RSA2 or the server-sig-algs protocol extension.

IIRC for some reason 2.8 does not work either, but cannot tell from changelog why.

So maybe the remote server does not support server-sig-algs, i.e. uses legacy ssh-rsa. Workaround could be to

• Regenerate keys as ecdsa.
• Update remote ssh server to support server-sig-algs.
• Pin to paramiko 2.7.x.
• Specify disabled_algorithms={'keys': ['rsa-sha2-256', 'rsa-sha2-512']} (not sure how)

[Matze1224]

• Specify disabled_algorithms={'keys': ['rsa-sha2-256', 'rsa-sha2-512']} (not sure how)

no it's pubkeys for the workaround

conn.connect('host', username='user', pkey=pkey, disabled_algorithms={'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']})

[jdoss]

I ran into this issue today when trying to use SSHLibrary to log into some servers using a ECDSA-CERT key in a ssh-agent using:

Open Connection    ${host}    agent_forwarding=True
Login    ${SSH_USER}    allow_agent=True
${output}=    Execute Command    whoami
Log    ${output}

The only thing that unblocked me was to downgrade to paramiko 2.7.1.