2
votes

How do I ssh to a server that requires dual password authentication using Paramiko?

When using a particular user, it first prompts for the user password and then for another password, so my session needs to be interactive. I have done the same using pexpect module to spawn an ssh process on Linux, but since I cannot do that in Windows I need a way to do it using Paramiko.

The server is our product that is a slightly modified version of CentOS. I am writing automation code to test some functionality which requires me to ssh into the server and verify some commands. I am able to login as root user, but for the user I am interested in it asks for a second password.

This is the output from the ssh -vvv command:

ssh -vvv -p2222 [email protected]  
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: /etc/ssh/ssh_config line 51: Applying options for *  
debug2: ssh_connect: needpriv 0  
debug1: Connecting to 10.213.23.112 [10.213.23.112] port 2222.  
debug1: Connection established.  
debug1: permanently_set_uid: 0/0  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key  
debug1: identity file /root/.ssh/id_rsa type 1  
debug1: identity file /root/.ssh/id_rsa-cert type -1  
debug1: identity file /root/.ssh/id_dsa type -1  
debug1: identity file /root/.ssh/id_dsa-cert type -1  
debug1: identity file /root/.ssh/id_ecdsa type -1  
debug1: identity file /root/.ssh/id_ecdsa-cert type -1  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_6.4  
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4  
debug1: match: OpenSSH_7.4 pat OpenSSH*  
debug2: fd 3 setting O_NONBLOCK  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,[email protected],zlib  
debug2: kex_parse_kexinit: none,[email protected],zlib  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: kex_parse_kexinit: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]  
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  
debug2: kex_parse_kexinit: none,[email protected]  
debug2: kex_parse_kexinit: none,[email protected]  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: mac_setup: found hmac-sha2-256  
debug1: kex: server->client aes128-ctr hmac-sha2-256 none  
debug2: mac_setup: found hmac-sha2-256  
debug1: kex: client->server aes128-ctr hmac-sha2-256 none  
debug1: sending SSH2_MSG_KEX_ECDH_INIT  
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  
debug1: Server host key: ECDSA 30:5c:e6:be:81:31:79:b8:71:80:bf:49:95:a9:79:12  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug1: Host '[10.213.23.112]:2222' is known and matches the ECDSA host key.  
debug1: Found key in /root/.ssh/known_hosts:1  
debug1: ssh_ecdsa_verify: signature correct  
debug2: kex_derive_keys  
debug2: set_newkeys: mode 1  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug2: set_newkeys: mode 0  
debug1: SSH2_MSG_NEWKEYS received  
debug1: Roaming not allowed by server  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug2: service_accept: ssh-userauth  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug2: key: /root/.ssh/id_rsa (0x55f959096720),  
debug2: key: /root/.ssh/id_dsa ((nil)),  
debug2: key: /root/.ssh/id_ecdsa ((nil)),  
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password  
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_lookup gssapi-keyex  
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_is_enabled gssapi-keyex  
debug1: Next authentication method: gssapi-keyex  
debug1: No valid Key exchange context  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup gssapi-with-mic  
debug3: remaining preferred: publickey,keyboard-interactive,password  
debug3: authmethod_is_enabled gssapi-with-mic  
debug1: Next authentication method: gssapi-with-mic  
debug1: Unspecified GSS failure.  Minor code may provide more information  
No Kerberos credentials available (default cache: KEYRING:persistent:0)  
  
debug1: Unspecified GSS failure.  Minor code may provide more information  
No Kerberos credentials available (default cache: KEYRING:persistent:0)  
  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup publickey  
debug3: remaining preferred: keyboard-interactive,password  
debug3: authmethod_is_enabled publickey  
debug1: Next authentication method: publickey  
debug1: Offering RSA public key: /root/.ssh/id_rsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  
debug1: Trying private key: /root/.ssh/id_dsa  
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory  
debug1: Trying private key: /root/.ssh/id_ecdsa  
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup password  
debug3: remaining preferred: ,password  
debug3: authmethod_is_enabled password  
debug1: Next authentication method: password  
[email protected]'s password:  
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)  
debug2: we sent a password packet, wait for reply  
debug1: Authentication succeeded (password).  
Authenticated to 10.213.23.112 ([10.213.23.112]:2222).  
debug1: channel 0: new [client-session]  
debug3: ssh_session2_open: channel_new: 0  
debug2: channel 0: send open  
debug1: Requesting [email protected]  
debug1: Entering interactive session.  
debug1: client_input_global_request: rtype [email protected] want_reply 0  
debug2: callback start  
debug2: fd 3 setting TCP_NODELAY  
debug3: packet_set_tos: set IP_TOS 0x10  
debug2: client_session2_setup: id 0  
debug2: channel 0: request pty-req confirm 1  
debug1: Sending environment.  
debug3: Ignored env XDG_SESSION_ID  
debug3: Ignored env HOSTNAME  
debug3: Ignored env TERM  
debug3: Ignored env SHELL  
debug3: Ignored env HISTSIZE  
debug3: Ignored env SSH_CLIENT  
debug3: Ignored env SSH_TTY  
debug3: Ignored env USER  
debug3: Ignored env LS_COLORS  
debug3: Ignored env MAIL  
debug3: Ignored env PATH  
debug3: Ignored env PWD  
debug1: Sending env LANG = en_US.UTF-8  
debug2: channel 0: request env confirm 0  
debug3: Ignored env HISTCONTROL  
debug3: Ignored env SHLVL  
debug3: Ignored env HOME  
debug3: Ignored env LOGNAME  
debug3: Ignored env XDG_DATA_DIRS  
debug3: Ignored env SSH_CONNECTION  
debug3: Ignored env LESSOPEN  
debug3: Ignored env XDG_RUNTIME_DIR  
debug3: Ignored env _  
debug2: channel 0: request shell confirm 1  
debug2: callback done  
debug2: channel 0: open confirm rwindow 0 rmax 32768  
debug2: channel_input_status_confirm: type 99 id 0  
debug2: PTY allocation request accepted on channel 0  
debug2: channel 0: rcvd adjust 2097152  
debug2: channel_input_status_confirm: type 99 id 0  
debug2: shell request accepted on channel 0  
Last login: Tue Dec 11 21:17:10 2018 from 10.213.23.201  
Please enter the shell password : debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
  
Entering shell...  
[root@atd-reg root]# 

I am not able to execute commands like this:

ssh -vvv -p2222 [email protected] ls

On executing the above command I am prompted for nobrk1n user's password. However on entering the password it gets stuck. I have pasted the output from the above command at https://pastebin.com/hSfiCmdi. Usually I first ssh into the server using ssh -p2222 user@host and when connection is established and I have successfully logged in, I start executing the commands.

1

1 Answers

2
votes

Your server uses a standard password authentication for the first password.

The second password is asked only once shell is starting. Simple I/O is used for that.

Additionally, your server does not seem to support "exec" interface/channel to execute commands (as ssh user@host command does not work). What is probably related to the "shell password" feature. So you probably have to use "shell" channel to execute your command, what is otherwise not recommended.

ssh = paramiko.SSHClient()
ssh.connect(hostname, username = username, password = password1)
channel = ssh.invoke_shell()
channel.send(password2 + "\n")
channel.send(command + "\n")
while not channel.recv_ready():
    time.sleep(1)
out = channel.recv(9999)