与 Paramiko 的无密码 SSH 连接失败，而 SSH 可以正常连接

我打算在客户端和服务器之间使用 SSH 密钥创建无密码连接。

使用 paramiko，我最终得到了认证异常。通过 Popen 使用标准 SSH，我可以毫无问题地连接

对于 Paramiko，我使用以下代码：

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.load_system_host_keys()
client.connect(ssh_server, username=ssh_user)

对于同样的情况，我可以使用 SSH：

cmd = 'ssh -o GSSAPIAuthentication=no -o ForwardX11=no {}@{} echo 0 > /dev/null'.format(ssh_user, ssh_server)
process = subprocess.Popen(md, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
process.communicate()

我正在使用 Python 3.4.6 和 Paramiko 2.4.1。

更多细节：

• 我能够在不同的客户端上与 Paramiko 建立连接
• 在此特定客户端上，ssh 模拟的用户与发起呼叫的用户不同。

Paramiko 调试输出

2018-07-11 20:55:54,025 20730 DEBUG: putting paramiko output to console
2018-07-11 20:55:54,112 20730 DEBUG: starting thread (client mode): 0x4ca07320
2018-07-11 20:55:54,112 20730 DEBUG: Local version/idstring: SSH-2.0-paramiko_2.4.1
2018-07-11 20:55:54,112 20730 DEBUG: Remote version/idstring: SSH-2.0-OpenSSH_7.2
2018-07-11 20:55:54,112 20730 INFO: Connected (version 2.0, client OpenSSH_7.2)
2018-07-11 20:55:54,115 20730 DEBUG: kex algos:['[email protected] /cdn-cgi/l/email-protection', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['[email protected] /cdn-cgi/l/email-protection', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection'] server encrypt:['[email protected] /cdn-cgi/l/email-protection', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection'] client mac:['[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', '[email protected] /cdn-cgi/l/email-protection', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', '[email protected] /cdn-cgi/l/email-protection'] server compress:['none', '[email protected] /cdn-cgi/l/email-protection'] client lang:[''] server lang:[''] kex follows?False
2018-07-11 20:55:54,115 20730 DEBUG: Kex agreed: ecdh-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: HostKey agreed: ecdsa-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: Cipher agreed: aes128-ctr
2018-07-11 20:55:54,115 20730 DEBUG: MAC agreed: hmac-sha2-256
2018-07-11 20:55:54,116 20730 DEBUG: Compression agreed: none
2018-07-11 20:55:54,123 20730 DEBUG: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
2018-07-11 20:55:54,124 20730 DEBUG: Switch to new keys ...
Exception: No authentication methods available

SSH 调试：（使用 ssh -v ssh_user AT ssh_server）

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/pid1083/.ssh/config
debug1: /home/pid1083/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <ssh_server> port 22.
debug1: Connection established.
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c type 1
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] /cdn-cgi/l/email-protection none
debug1: kex: client->server aes128-ctr [email protected] /cdn-cgi/l/email-protection none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 21:1b:bb:32:4c:69:f3:eb:91:79:e7:ca:d4:30:ff:70
debug1: Host '<ssh_server>' is known and matches the ECDSA host key.
debug1: Found key in /home/<logged_in_username>/.ssh/known_hosts:519
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<logged_in_user>/.ssh/id_rsa_c2c
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <IP_of_server>:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected] /cdn-cgi/l/email-protection
debug1: Entering interactive session.
debug1: client_input_global_request: rtype [email protected] /cdn-cgi/l/email-protection want_reply 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.utf8
debug1: Sending env LC_ADDRESS = en_US.utf8
debug1: Sending env LC_MONETARY = en_US.utf8
debug1: Sending env LC_NUMERIC = en_US.utf8
debug1: Sending env LC_ALL = en_US.utf8
debug1: Sending env LC_TELEPHONE = en_US.utf8
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LC_IDENTIFICATION = en_US.utf8
debug1: Sending env LC_COLLATE = en_US.utf8
debug1: Sending env LANG = en_US.utf8
debug1: Sending env LC_MEASUREMENT = en_US.utf8
debug1: Sending env LC_CTYPE = en_US.utf8
debug1: Sending env LC_TIME = en_DK.utf8
debug1: Sending env LC_NAME = en_US.utf8

Your ssh连接有效，因为它使用来自~/.ssh/id_rsa_c2c（如配置中ssh_config). The .ssh文件夹和ssh_config文件用作 OpenSSH 工具集的配置（ssh在这种情况下）。您不能期望其他 SSH 客户端/库将使用 OpenSSH 配置文件。一般来说，他们不会。

如果您想对 Paramiko 使用公钥身份验证，请使用key_filename的论证SSHClient.connect https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.connect.
也可以看看如何使用 ppk 公钥通过 Python Paramiko 进行 ssh 连接 https://stackoverflow.com/q/8382847/850848.

尽管 Paramiko 特别会使用密钥文件，但如果它有一个通用名称，例如id_rsa, id_dsa等参见在 Python 中的 Paramiko 中强制进行密码身份验证（忽略 .ssh 文件夹中的密钥） https://stackoverflow.com/q/52632693/850848对于完全相反的问题。

强制性警告：请勿使用AutoAddPolicy，除非你不关心安全性。通过这种方式，您将失去针对 MITM 攻击的保护。
正确的解决方案请参见Paramiko“未知服务器” https://stackoverflow.com/q/10670217/850848#43093883.