pysftp -- paramiko SSHException, Bad host key from server
I'm trying to connect to a remote host via pysftp
:
try:
with pysftp.Connection(inventory[0], username='transit',
private_key='~/.ssh/id_rsa.sftp', port=8055) as sftp:
sftp.put('/home/me/test.file')
except Exception, err:
print sys.exc_info()
print err
However, I get a weird exception raised that I can't find much detail on.
(<class 'paramiko.ssh_exception.SSHException'>, SSHException('Bad host key from server',), <traceback object at 0x7fa76269c5a8>)
Bad host key from server
I found a related question that suggested I run ssh-keygen -R [host]
to replace the key in my known_hosts
file -- once I did that, I got a new error:
(<class 'paramiko.ssh_exception.SSHException'>, SSHException('No hostkey for host abc.com found.',), <traceback object at 0x7f6b8520cb48>)
No hostkey for host abc.com found.
Now, if I try to ssh to this host, it prompts me again to trust the key to be put back into my known_hosts
file, which I accept and can happily ssh onto the box. After this step, if I attempt to run my script again, I get the original error Bad host key from server
.
Am I doing something wrong here?
ninja edit: I should mention that the following works fine from the terminal:
sftp -i .ssh/id_rsa.sftp -oPort=8055 [email protected]
sftp> put /home/me/test.file
Paramiko Debug Output:
[2016-07-14 10:32:23,809] | paramiko.transport - DEBUG - starting thread (client mode): 0x7f1dab10L
[2016-07-14 10:32:23,810] | paramiko.transport - DEBUG - Local version/idstring: SSH-2.0-paramiko_2.0.1
[2016-07-14 10:32:23,836] | paramiko.transport - DEBUG - Remote version/idstring: SSH-2.0-mod_sftp/0.9.9
[2016-07-14 10:32:23,836] | paramiko.transport - INFO - Connected (version 2.0, client mod_sftp/0.9.9)
[2016-07-14 10:32:23,837] | paramiko.transport - DEBUG - kex algos:[u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1', u'diffie-hellman-group1-sha1', u'rsa1024-sha1'] server key:[u'ssh-rsa', u'ssh-dss'] client encrypt:[u'aes256-ctr', u'aes192-ctr', u'aes128-ctr', u'aes256-cbc', u'aes192-cbc', u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'cast128-cbc', u'arcfour256', u'arcfour128', u'3des-ctr', u'3des-cbc'] server encrypt:[u'aes256-ctr', u'aes192-ctr', u'aes128-ctr', u'aes256-cbc', u'aes192-cbc', u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'cast128-cbc', u'arcfour256', u'arcfour128', u'3des-ctr', u'3des-cbc'] client mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96', u'hmac-ripemd160', u'[email protected]'] server mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96', u'hmac-ripemd160', u'[email protected]'] client compress:[u'none'] server compress:[u'none'] client lang:[u''] server lang:[u''] kex follows?False
[2016-07-14 10:32:23,837] | paramiko.transport - DEBUG - Kex agreed: diffie-hellman-group1-sha1
[2016-07-14 10:32:23,838] | paramiko.transport - DEBUG - Cipher agreed: aes128-ctr
[2016-07-14 10:32:23,838] | paramiko.transport - DEBUG - MAC agreed: hmac-sha2-256
[2016-07-14 10:32:23,838] | paramiko.transport - DEBUG - Compression agreed: none
[2016-07-14 10:32:23,935] | paramiko.transport - DEBUG - kex engine KexGroup1 specified hash_algo <built-in function openssl_sha1>
[2016-07-14 10:32:23,936] | paramiko.transport - DEBUG - Switch to new keys ...
[2016-07-14 10:32:23,952] | paramiko.transport - DEBUG - Bad host key from server
[2016-07-14 10:32:23,952] | paramiko.transport - DEBUG - Expected: ssh-rsa: '\x00\x00\x00\x07ssh-rsa\x00\x00\x00\x01#\x00\x00\x01\x01\x00\xb9\x05\xddUF?o\xeet\xad\x06=\x83\xd6\xa8\xb1\x06\x03\xb7\xb5\xa5C\x80\x0c~\xa8\x83[w!\x16y\xe6@\xdajX\x90+c\xd4\x18X\xd7\xff\x05\x06\xe2\x19\x96\x8c&J\x0c\x1f\xd2\xefC\xa5\xc6\xbb\x1f\xc9N\xd7r\x12\xd29\x1f\xe1\xb6F\xe8\xdc(w~\x1f\xea\xea\xfdUT?^V\xe8=\'\xd60\xdc\xc44gYnn\xfe\xe8^?\x8b\xa8"\xda\xc7(\x18\xc3<\xa9\x1c\xa1)A3_\x00<$y\xbe\xd4$\xc2S\xe6\x93\xe3B^\xef\xe6\xbf\xb5\x88\xd6\x98EeP\x9aZm\xa7\xc5&\xffn\xc1lb\x1e[\x8d!*\xfa\xa3\xce\xb6\xe7\xd5U\r<E\xd2\xe1\x89.\xed%o\xefju\xde>=*b\xaeBO\xbf>\xe4/,\xd5@R\xc5\x9e\xac\xf5\x80\x04\xa9s)3\xb5\xbc\xc2\xcc\xe7\xa7\xb8\x04>uA\xb4O\xa6\xf3\xdb\x9c2\xb5"%n\x89\t\x8192\xe7#n\x82p\xee\xdf\x16]\xb3A\x93\xebm|\xb9\xd7\nXsmw\x81\xa9'
[2016-07-14 10:32:23,953] | paramiko.transport - DEBUG - Got : ssh-rsa: "\x00\x00\x00\x07ssh-rsa\x00\x00\x00\x01#\x00\x00\x01\x01\x00\xc6_\xea\xc1yF\xd5\xdd\x146\x8c\x0eU\xeah[3\x16VP\xde2\xbe~\xed\x92\xef\xb81\x14\xd8\xb7\xa7\x08\xa3\x02\xa8\n\x9f\x7f{\x896\x1b\x89/,\x92\x86\xc7M\xa5\x7f0Cj\xe6\x93\xb0\x0eup%\xa2p\x9d3i\xaco\xf7\x14\xfb\xfe\x8f}a\xcbJ :\xdf\xdd1\x10\xe8;\xd3%\x98k')\xf8\x1c\xc1D\x97\\\xcc\xe6\xf5*6\xc2\xf1\xb8\xcf!\xeed\x1co\xc1\x03\xb4v\xc0,?\xda\xc7\xa3\xd9\xe8\xafy\xf5k\xf7\xe8\xa1\x9cr\xfa\x81\xcd\xee\xd3\xeao\xa7\x072\xce\x8b\xf9\x95\x03\xa1\xe2\xaf\t\xa2\xba\xa1O\xbc\xbf}}\x9e\xc0t\x9bC\x88\xbd\x18'\x00?-\xa0\x05\x83I\x1ah#I\xfc\xebc$\xfc\xa0\xad\xeeP\x80\x88Bh_\xeb`\xb6\xab\x8bC\x83\x987\xba\x05\xb14\xea\x90\xac>\x99&\x99\xb3\xf9\nC\xdf\xfd\xba<\xf8\xaf\xca\xaf\xfa\x15+\x1e,L\xa1\xf0\x1e\xa5`\xbd>\xf4\xa63)\xae7F\xd2\xc9\xf2\xf3A\xa4\x10u\xa9"
(<class 'paramiko.ssh_exception.SSHException'>, SSHException('Bad host key from server',), <traceback object at 0x7fb87f143ef0>)
Bad host key from server
[2016-07-14 10:32:24,037] | paramiko.transport - DEBUG - EOF in transport thread
Workaround
This seems to be some sort of bug with the pysftp
wrapper... I'm not sure. Reverting to native paramiko
got me connected just fine, so I'm going with that for now. Current working code:
rsa_key = paramiko.RSAKey.from_private_key_file('~/.ssh/the_key', password='myPassword')
transport = paramiko.Transport((inventory[0],8055))
transport.connect(username='theUser', pkey=rsa_key)
sftp = paramiko.SFTPClient.from_transport(transport)
print sftp.listdir()
For me, once I had the host public key loaded in .ssh\known_hosts, the cookbook example worked.
But, I don't recall being prompted to ever save the host public key to my .ssh\known_hosts file.
This link is what helped me understand the host public key was separate from my own public/private key pair. I'm using exavault and they provide the public/private key pair, but did not provide the host public key.
I used ssh-keyscan using git bash for windows:
$ ssh-keyscan example.com
# example.com SSH-2.0-OpenSSH_5.3
example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...
and copied the key to my known_hosts file. Then it worked with pysftp 0.2.9.