search

ParallelSSH / parallel-ssh

Asynchronous parallel SSH client library.
https://parallel-ssh.org
GNU Lesser General Public License v2.1
1.2k stars 149 forks source link

ED25519 key files cannot be loaded on Windows #285

Open GaryA50 opened 3 years ago

GaryA50 commented 3 years ago

Describe the bug ED25519 key pairs don't work to connect to ubuntu server

To Reproduce

from pssh.clients import SSHClient
import sys
import traceback

class SSHComm():
    def __init__(self):
        try:
            self.client = SSHClient("192.168.0.201", user="ubuntu", 
            pkey="c:\\Users\\Admin\\.ssh\\piubuntu_ed25519", timeout=5, 
            allow_agent=False)
        except: 
            print("Server connection", sys.exc_info())

Expected behavior The key pair should authenticate to allow communications.

Actual behaviour The code fails with AuthenticationError.

Additional information System: parallel-ssh v2.5.4, Win 10 Pro v10.0.19401, Microsoft openssh v7.7.2.1, Python v3.8.6, Ubuntu-server 20.04

The ED25519 key pair was created using ssh-keygen -t ED25519.

The key pair also fails when pkey is deleted and allow_agent=True

However, the same ED25519 key pair is used successfully to make a connection to the server using cli and ssh agent.

The same result occurred with a second ED25519 key pair.

If an rsa key pair is used instead, the code above works as expected after pkey is changed to the name of the rsa key.

pkittenis commented 3 years ago

Hello,

Thanks for the interest and report. Have used ED25519 keys many times myself with no issues.

Can you enable debug logging and post the complete output of the above code?

from pssh.utils import enable_debug_logger

enable_debug_logger()
<code>
GaryA50 commented 3 years ago

There are three blocks below. The first shows the output from enable_debug_logger. The second shows the output from the print() in my code. The third shows the successful authentication from the command line without entry of password. Note that Welcome to Ubuntu was shown three times after the first login from the command line, but only once the second time. I'm wondering if that is a result of the three unsuccessful authentications by parallel-ssh.

Connecting to 192.168.0.201:22 Proceeding with private key file authentication Proceeding with private key file authentication Proceeding with private key file authentication

Server connection (<class 'pssh.exceptions.AuthenticationError'>, AuthenticationError('Authentication error while connecting to %s:%s - %s', '192.168.0.201', 22, FileError()), <traceback object at 0x0000014BD4943D80>)

PS C:\Windows\System32> ssh ubuntu@192.168.0.201 Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

ubuntu@ubuntu:~$ logout Connection to 192.168.0.201 closed. PS C:\Windows\System32> ssh ubuntu@192.168.0.201 Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

Last login: Mon Mar 8 20:58:28 2021 from 192.168.0.113 ubuntu@ubuntu:~$

pkittenis commented 3 years ago

Can you show output of ssh -v ubuntu@192.168.0.201 -i <key file>. FileError means the private key file provided could not be loaded.

GaryA50 commented 3 years ago

To get single \ in path to file on first line in Github Preview tab, I had to use \\ on the Github Write tab. Also, all the \\ on the Preview tab were \\\\ on the write tab and were copied directly from powershell.

PS C:\Windows\System32> ssh -v ubuntu@192.168.0.201 -i c:\\Users\\Admin\\.ssh\\piubuntu_ed25519
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Connecting to 192.168.0.201 [192.168.0.201] port 22.
debug1: Connection established.
debug1: identity file c:\\\\Users\\\\Admin\\\\.ssh\\\\piubuntu_ed25519 type 3
debug1: key_load_public: No such file or directory
debug1: identity file c:\\\\Users\\\\Admin\\\\.ssh\\\\piubuntu_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.201:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7AWqFUm+6tRdfO31h3IeoYlYEba/LBddhUpipUjCT3k
debug1: Host '192.168.0.201' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\Admin/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:/dwUGC1CQ11uZRDemY0tszAeUXwoy30E8TWLl7Amod4 c:\\\\Users\\\\Admin\\\\.ssh\\\\piubuntu_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.0.201 ([192.168.0.201]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)
pkittenis commented 3 years ago

Best to try generating the key on linux instead of windows - have used such keys on windows clients successfully. It looks like libssh2 might not be able to read windows generated key files.

If you can attach a new key generated on windows here - one you are not using - that would be helpful to debug with.

Also, can surround text blocks with ``` in order to stop github formatting it.

GaryA50 commented 3 years ago

I generated a new ED25519 key in Ubuntu 20.04 and tested on Windows SSH client without success. Then, I tested that key as well as a Windows generated key in Ubuntu SSH client and they both worked perfectly. Did you use Microsoft OpenSSH in Windows?

Attached is a key generated on Windows. Test key.zip

pkittenis commented 3 years ago

new ED25519 key in Ubuntu 20.04 and tested on Windows SSH client without success

Have never used Window's ssh tools. OpenSSH generated keys on linux work on windows clients, by clients meaning this library, not window's openssh tools.

The windows tools are supposed to be openssh so a key generated on linux openssh not working on windows openssh sounds like an openssh issue.

GaryA50 commented 3 years ago

I see that my terminology was not correct in our last exchange. I'll rephrase. It does not matter whether the ED25519 key is created in linux or windows. It works in parallel-ssh in linux, but does not work in parallel-ssh in windows.

Also, if the ED25519 file is replaced by an rsa file, it works in parallel-ssh in both OS. Password works, too.

Here is stripped down code I used to test in both OS.

from pssh.clients import SSHClient
import sys
import traceback
from pssh.utils import enable_debug_logger

class SSHComm():
    def __init__(self):
        enable_debug_logger()
        try:
            # Ubuntu-server, ethernet, passing private key from windows
            self.client = SSHClient("192.168.0.201", user="ubuntu", 
                timeout=5, pkey="c:\\Users\\Admin\\.ssh\\piubuntu2_ed25519",
                allow_agent=False)
            # Ubuntu-server, ethernet, passing private key from ubuntu
            # self.client = SSHClient("192.168.0.201", user="ubuntu", 
            #     pkey="~/.ssh/piubuntu2_ed25519", timeout=5, 
            #     allow_agent=False)
        except: print("Server connection", sys.exc_info())

print("Initializing SSHComm()")
SSHComm()
print("Finished with initialization")

Aside from this issue, which I can work around, parallel-ssh is performing well for me. Thanks for your work.

pkittenis commented 3 years ago

Have used ED25519 and ECDSA keys with parallel-ssh on windows, yes. Let me confirm they work with latest version as well.

The only instance I've seen of them not working on Windows is from self-built ssh2-python that uses WinCNG instead of OpenSSL for a crypto back-end. Those key types are only supported with OpenSSL.

If parallel-ssh was installed via pip, it has installed a binary wheel of ssh2-python with OpenSSL included. If self-building.. my only suggestion is don't.

GaryA50 commented 3 years ago

Testing has been done using two configurations, both including parallel-ssh installed with pip. The first configuration started with a minimal conda environment. The second was on a different computer with python installed directly in windows without use of any environment.

pkittenis commented 3 years ago

Have been able to reproduce - ED25519 keys cannot be loaded on windows. Same key can be loaded on linux.

ECDSA keys work on windows.

It could be an issue with windows wheel builds or a bug with libssh2 - yet to confirm.