Paramiko Authentication Fails with "Agreed Upon 'Rsa-Sha2-512' Pubkey Algorithm" (And "Unsupported Public Key Algorithm: Rsa-Sha2-512" in Sshd Log)

Paramiko authentication fails with Agreed upon 'rsa-sha2-512' pubkey algorithm (and unsupported public key algorithm: rsa-sha2-512 in sshd log)

Imo, it's a bug in Paramiko. It does not handle correctly absence of server-sig-algs extension on the server side.

Try disabling rsa-sha2-* on Paramiko side altogether:

ssh_client.connect(
  server, username=ssh_user, key_filename=ssh_keypath,
  disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]))

(note that there's no need to specify port=22, as that's the default)

I've found related Paramiko issue:

RSA key auth failing from paramiko 2.9.x client to dropbear server

Though it refers to Paramiko 2.9.0 change log, which seems to imply that the behavior is deliberate:

When the server does not send server-sig-algs, Paramiko will attempt the first algorithm in the above list. Clients connecting to legacy servers should thus use disabled_algorithms to turn off SHA2.

---

Since 2.9.2, Paramiko will say:

DEB [20220113-14:46:13.882] thr=1 paramiko.transport: Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')

DEB [20220113-14:46:13.882] thr=1 paramiko.transport: NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!

---

Obligatory warning: Do not use AutoAddPolicy – You are losing a protection against MITM attacks by doing so. For a correct solution, see Paramiko "Unknown Server".

---

Your code for waiting for command to complete and reading its output is flawed too. See Wait to finish command executed with Python Paramiko. And for most purposes, the get_pty=True is not a good idea either.

PubkeyAcceptedKeyTypes=+ssh-rsa with Paramiko

Paramiko uses ssh-rsa by default. No need to enable it.

But if you have problems with public keys, it might be because recent versions of Paramiko first try rsa-sha2-*. And some legacy servers choke on that. So you likely rather want to disable the rsa-sha2-*.

For that, see:

Paramiko authentication fails with "Agreed upon 'rsa-sha2-512' pubkey algorithm" (and "unsupported public key algorithm: rsa-sha2-512" in sshd log)

How to connect to an SFTP server through Paramiko with a PPK key?

Based on the posted logs and this question, I have finally managed to solve the error with disabling rsa-sha2-512 and rsa-sha2-256 algorithms to force the ssh-rsa algorithm.

ssh_client.connect(
        disabled_algorithms={'pubkeys': ['rsa-sha2-512', 'rsa-sha2-256']}, ...)

Pysftp fails with Authentication failed and Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')

The error comes from underlying Paramiko and is discussed here:

Paramiko authentication fails with "Agreed upon 'rsa-sha2-512' pubkey algorithm" (and "unsupported public key algorithm: rsa-sha2-512" in sshd log)

Though pysftp does not expose the disabled_algorithms parameter.

You better switch to using Paramiko directly. The pysftp is abandoned project. See pysftp vs. Paramiko.

How to disable pubkey algorithms in python sshtunnel

With the latest version of paramiko library e.g. paramiko~=2.11.0, there is an issue: RSA key being treated as a DSA key. The issue is solved using a lower version of the library e.g. paramiko~=2.8.1, without using the ssh config or disabled_algorithms flag.

Authentication failed pysftp with private key

Paramiko recently added some code in the 2.9.x which causes an paramiko.ssh_exception.AuthenticationException('Authentication failed.') exception. Try installing paramiko==2.8.1 explicitly and see if the issue still occurs.

See change log notes for 2.9.0 at https://www.paramiko.org/changelog.html

And also this issue here: https://github.com/paramiko/paramiko/issues/1961

---

Related Topics