问题描述

如何使用 Paramiko SSH 到需要双密码认证的服务器?

How do I ssh to a server that requires dual password authentication using Paramiko?

使用特定用户时，它首先提示输入用户密码，然后提示输入另一个密码，因此我的会话需要是交互式的.我已经使用 pexpect 模块在 Linux 上生成了一个 ssh 进程，但由于我无法在 Windows 中执行此操作，因此我需要一种使用 Paramiko 的方法来执行此操作.

When using a particular user, it first prompts for the user password and then for another password, so my session needs to be interactive.I have done the same using pexpect module to spawn an ssh process on Linux, but since I cannot do that in Windows I need a way to do it using Paramiko.

服务器是我们的产品，是稍微修改过的 CentOS 版本.我正在编写自动化代码来测试一些需要我通过 ssh 进入服务器并验证一些命令的功能.我能够以 root 用户身份登录，但对于我感兴趣的用户，它要求输入第二个密码.

The server is our product that is a slightly modified version of CentOS. I am writing automation code to test some functionality which requires me to ssh into the server and verify some commands. I am able to login as root user, but for the user I am interested in it asks for a second password.

这是 ssh -vvv 命令的输出:

ssh -vvv -p2222 nobrk1n@10.213.23.112  
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: /etc/ssh/ssh_config line 51: Applying options for *  
debug2: ssh_connect: needpriv 0  
debug1: Connecting to 10.213.23.112 [10.213.23.112] port 2222.  
debug1: Connection established.  
debug1: permanently_set_uid: 0/0  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key  
debug1: identity file /root/.ssh/id_rsa type 1  
debug1: identity file /root/.ssh/id_rsa-cert type -1  
debug1: identity file /root/.ssh/id_dsa type -1  
debug1: identity file /root/.ssh/id_dsa-cert type -1  
debug1: identity file /root/.ssh/id_ecdsa type -1  
debug1: identity file /root/.ssh/id_ecdsa-cert type -1  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_6.4  
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4  
debug1: match: OpenSSH_7.4 pat OpenSSH*  
debug2: fd 3 setting O_NONBLOCK  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com  
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  
debug2: kex_parse_kexinit: none,zlib@openssh.com  
debug2: kex_parse_kexinit: none,zlib@openssh.com  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: mac_setup: found hmac-sha2-256  
debug1: kex: server->client aes128-ctr hmac-sha2-256 none  
debug2: mac_setup: found hmac-sha2-256  
debug1: kex: client->server aes128-ctr hmac-sha2-256 none  
debug1: sending SSH2_MSG_KEX_ECDH_INIT  
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  
debug1: Server host key: ECDSA 30:5c:e6:be:81:31:79:b8:71:80:bf:49:95:a9:79:12  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug1: Host '[10.213.23.112]:2222' is known and matches the ECDSA host key.  
debug1: Found key in /root/.ssh/known_hosts:1  
debug1: ssh_ecdsa_verify: signature correct  
debug2: kex_derive_keys  
debug2: set_newkeys: mode 1  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug2: set_newkeys: mode 0  
debug1: SSH2_MSG_NEWKEYS received  
debug1: Roaming not allowed by server  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug2: service_accept: ssh-userauth  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug2: key: /root/.ssh/id_rsa (0x55f959096720),  
debug2: key: /root/.ssh/id_dsa ((nil)),  
debug2: key: /root/.ssh/id_ecdsa ((nil)),  
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password  
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_lookup gssapi-keyex  
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_is_enabled gssapi-keyex  
debug1: Next authentication method: gssapi-keyex  
debug1: No valid Key exchange context  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup gssapi-with-mic  
debug3: remaining preferred: publickey,keyboard-interactive,password  
debug3: authmethod_is_enabled gssapi-with-mic  
debug1: Next authentication method: gssapi-with-mic  
debug1: Unspecified GSS failure.  Minor code may provide more information  
No Kerberos credentials available (default cache: KEYRING:persistent:0)  
  
debug1: Unspecified GSS failure.  Minor code may provide more information  
No Kerberos credentials available (default cache: KEYRING:persistent:0)  
  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup publickey  
debug3: remaining preferred: keyboard-interactive,password  
debug3: authmethod_is_enabled publickey  
debug1: Next authentication method: publickey  
debug1: Offering RSA public key: /root/.ssh/id_rsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  
debug1: Trying private key: /root/.ssh/id_dsa  
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory  
debug1: Trying private key: /root/.ssh/id_ecdsa  
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup password  
debug3: remaining preferred: ,password  
debug3: authmethod_is_enabled password  
debug1: Next authentication method: password  
nobrk1n@10.213.23.112's password:  
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)  
debug2: we sent a password packet, wait for reply  
debug1: Authentication succeeded (password).  
Authenticated to 10.213.23.112 ([10.213.23.112]:2222).  
debug1: channel 0: new [client-session]  
debug3: ssh_session2_open: channel_new: 0  
debug2: channel 0: send open  
debug1: Requesting no-more-sessions@openssh.com  
debug1: Entering interactive session.  
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0  
debug2: callback start  
debug2: fd 3 setting TCP_NODELAY  
debug3: packet_set_tos: set IP_TOS 0x10  
debug2: client_session2_setup: id 0  
debug2: channel 0: request pty-req confirm 1  
debug1: Sending environment.  
debug3: Ignored env XDG_SESSION_ID  
debug3: Ignored env HOSTNAME  
debug3: Ignored env TERM  
debug3: Ignored env SHELL  
debug3: Ignored env HISTSIZE  
debug3: Ignored env SSH_CLIENT  
debug3: Ignored env SSH_TTY  
debug3: Ignored env USER  
debug3: Ignored env LS_COLORS  
debug3: Ignored env MAIL  
debug3: Ignored env PATH  
debug3: Ignored env PWD  
debug1: Sending env LANG = en_US.UTF-8  
debug2: channel 0: request env confirm 0  
debug3: Ignored env HISTCONTROL  
debug3: Ignored env SHLVL  
debug3: Ignored env HOME  
debug3: Ignored env LOGNAME  
debug3: Ignored env XDG_DATA_DIRS  
debug3: Ignored env SSH_CONNECTION  
debug3: Ignored env LESSOPEN  
debug3: Ignored env XDG_RUNTIME_DIR  
debug3: Ignored env _  
debug2: channel 0: request shell confirm 1  
debug2: callback done  
debug2: channel 0: open confirm rwindow 0 rmax 32768  
debug2: channel_input_status_confirm: type 99 id 0  
debug2: PTY allocation request accepted on channel 0  
debug2: channel 0: rcvd adjust 2097152  
debug2: channel_input_status_confirm: type 99 id 0  
debug2: shell request accepted on channel 0  
Last login: Tue Dec 11 21:17:10 2018 from 10.213.23.201  
Please enter the shell password : debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
  
Entering shell...  
[root@atd-reg root]# 

我无法执行这样的命令:

I am not able to execute commands like this:

ssh -vvv -p2222 nobrk1n@10.213.23.112 ls

在执行上述命令时，系统提示我输入 nobrk1n 用户的密码.但是在输入密码时它会卡住.我已将上述命令的输出粘贴到 https://pastebin.com/hSfiCmdi.通常我首先使用 ssh -p2222 user@host ssh 进入服务器，当连接建立并成功登录后，我开始执行命令.

On executing the above command I am prompted for nobrk1n user's password. However on entering the password it gets stuck. I have pasted the output from the above command at https://pastebin.com/hSfiCmdi. Usually I first ssh into the server using ssh -p2222 user@host and when connection is established and I have successfully logged in, I start executing the commands.

推荐答案

您的服务器对第一个密码使用标准密码身份验证.

Your server uses a standard password authentication for the first password.

仅在 shell 启动时询问第二个密码.使用简单的 I/O.

The second password is asked only once shell is starting. Simple I/O is used for that.

此外，您的服务器似乎不支持exec"接口/通道来执行命令(因为 ssh user@host command 不起作用).什么可能与shell 密码"功能有关.所以你可能不得不使用shell"通道来执行你的命令，否则不推荐.

Additionally, your server does not seem to support "exec" interface/channel to execute commands (as ssh user@host command does not work). What is probably related to the "shell password" feature. So you probably have to use "shell" channel to execute your command, what is otherwise not recommended.

ssh = paramiko.SSHClient()
ssh.connect(hostname, username = username, password = password1)
channel = ssh.invoke_shell()
channel.send(password2 + "\n")
channel.send(command + "\n")
while not channel.recv_ready():
    time.sleep(1)
out = channel.recv(9999)

这篇关于如何使用 Python 的 Paramiko 模块通过 ssh 进入需要两个密码身份验证的服务器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！