Paramiko authentication fails with Agreed upon 'rsa-sha2-512' pubkey algorithm (and unsupported public key algorithm: rsa-sha2-512 in sshd log)
Imo, it's a bug in Paramiko. It does not handle correctly absence of server-sig-algs
extension on the server side.
Try disabling rsa-sha2-*
on Paramiko side altogether:
ssh_client.connect(
server, username=ssh_user, key_filename=ssh_keypath,
disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]))
(note that there's no need to specify port=22
, as that's the default)
I've found related Paramiko issue:
RSA key auth failing from paramiko 2.9.x client to dropbear server
Though it refers to Paramiko 2.9.0 change log, which seems to imply that the behavior is deliberate:
When the server does not send
server-sig-algs
, Paramiko will attempt the first algorithm in the above list. Clients connecting to legacy servers should thus usedisabled_algorithms
to turn off SHA2.
Since 2.9.2, Paramiko will say:
DEB [20220113-14:46:13.882] thr=1 paramiko.transport: Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')
DEB [20220113-14:46:13.882] thr=1 paramiko.transport: NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!
Obligatory warning: Do not use AutoAddPolicy
– You are losing a protection against MITM attacks by doing so. For a correct solution, see Paramiko "Unknown Server".
Your code for waiting for command to complete and reading its output is flawed too. See Wait to finish command executed with Python Paramiko. And for most purposes, the get_pty=True
is not a good idea either.
PubkeyAcceptedKeyTypes=+ssh-rsa with Paramiko
Paramiko uses ssh-rsa
by default. No need to enable it.
But if you have problems with public keys, it might be because recent versions of Paramiko first try rsa-sha2-*
. And some legacy servers choke on that. So you likely rather want to disable the rsa-sha2-*
.
For that, see:
Paramiko authentication fails with "Agreed upon 'rsa-sha2-512' pubkey algorithm" (and "unsupported public key algorithm: rsa-sha2-512" in sshd log)
How to connect to an SFTP server through Paramiko with a PPK key?
Based on the posted logs and this question, I have finally managed to solve the error with disabling rsa-sha2-512 and rsa-sha2-256 algorithms to force the ssh-rsa algorithm.
ssh_client.connect(
disabled_algorithms={'pubkeys': ['rsa-sha2-512', 'rsa-sha2-256']}, ...)
Pysftp fails with Authentication failed and Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')
The error comes from underlying Paramiko and is discussed here:
Paramiko authentication fails with "Agreed upon 'rsa-sha2-512' pubkey algorithm" (and "unsupported public key algorithm: rsa-sha2-512" in sshd log)
Though pysftp does not expose the disabled_algorithms
parameter.
You better switch to using Paramiko directly. The pysftp is abandoned project. See pysftp vs. Paramiko.
How to disable pubkey algorithms in python sshtunnel
With the latest version of paramiko library e.g. paramiko~=2.11.0, there is an issue: RSA key being treated as a DSA key. The issue is solved using a lower version of the library e.g. paramiko~=2.8.1, without using the ssh config or disabled_algorithms flag.
Authentication failed pysftp with private key
Paramiko recently added some code in the 2.9.x which causes an paramiko.ssh_exception.AuthenticationException('Authentication failed.')
exception. Try installing paramiko==2.8.1
explicitly and see if the issue still occurs.
See change log notes for 2.9.0 at https://www.paramiko.org/changelog.html
And also this issue here: https://github.com/paramiko/paramiko/issues/1961
Related Topics
Authenticate from Linux to Windows SQL Server with Pyodbc
Python3.6 Importerror: Cannot Import Name 'Main' Linux Rhel6
Best Way to Join/Merge by Range in Pandas
Combine Several Images Horizontally with Python
How to Percent-Encode Url Parameters in Python
Python, Typeerror: Unhashable Type: 'List'
How to Mock an Open Used in a with Statement (Using the Mock Framework in Python)
Finding Max Value in the Second Column of a Nested List
Convert Floats to Ints in Pandas
Run a Linux System Command as a Superuser, Using a Python Script
Show Default Value for Editing on Python Input Possible
Case Insensitive Regular Expression Without Re.Compile
How to Append a New Row to an Old CSV File in Python