Paramiko 2.9 因“无效密钥（类：RSAKey，数据类型：rsa-sha2-256”而失败）

Question

我正在使用 Paramiko 连接到我的 PDU 以控制 AC 关闭。

我的笔记本电脑和主机系统没有遇到此问题。该代码在两者上都运行良好。

但是当我复制我的代码以在新主机系统上使用时，开始出现以下错误，我尝试在其他笔记本电脑上进行测试也有问题：-

我对 UUT 使用相同的连接，它连接没有问题，然后连接到 PDU 以关闭和打开 AC。会发生错误。这与新系统有关吗？

代码：

#Connect to PDU to AC OFF & ON. ***PDU Outlet # to be hard coded here for now***
ssh.connect(PDUipaddr, port=PDUport, username=PDUusrname, password=PDUusrpass)
print('PDU Connection Successful')

来自 IDLE 的错误：

Exception (client): Invalid key (class: RSAKey, data type: rsa-sha2-256
Traceback (most recent call last):
  
File "C:\Python\lib\site-packages\paramiko\transport.py", line 2129, in run
    self.kex_engine.parse_next(ptype, m)
  
File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 75, in parse_next
    return self._parse_kexdh_reply(m)
  
File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 120, in _parse_kexdh_reply
    self.transport._verify_key(host_key, sig)
  
File "C:\Python\lib\site-packages\paramiko\transport.py", line 1937, in _verify_key
    key = self._key_info[self.host_key_type](Message(host_key))
  
File "C:\Python\lib\site-packages\paramiko\rsakey.py", line 71, in __init__
    self._check_type_and_load_cert(
  
File "C:\Python\lib\site-packages\paramiko\pkey.py", line 622, in _check_type_and_load_cert
    raise SSHException(err.format(self.__class__.__name__, type_))
paramiko.ssh_exception.SSHException: Invalid key (class: RSAKey, data type: rsa-sha2-256

Traceback (most recent call last):
  
File "C:\Users\EV_PG\Desktop\AMDXIO Script\Test.py", line 26, in <module>
    ssh.connect(PDUipaddr, port=PDUport, username=PDUusrname, password=PDUusrpass)
  
File "C:\Python\lib\site-packages\paramiko\client.py", line 406, in connect
    t.start_client(timeout=timeout)
  
File "C:\Python\lib\site-packages\paramiko\transport.py", line 698, in start_client
    raise e
  
File "C:\Python\lib\site-packages\paramiko\transport.py", line 2129, in run
    self.kex_engine.parse_next(ptype, m)
  
File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 75, in parse_next
    return self._parse_kexdh_reply(m)
  
File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 120, in _parse_kexdh_reply
    self.transport._verify_key(host_key, sig)
  
File "C:\Python\lib\site-packages\paramiko\transport.py", line 1937, in _verify_key
    key = self._key_info[self.host_key_type](Message(host_key))
  
File "C:\Python\lib\site-packages\paramiko\rsakey.py", line 71, in __init__
    self._check_type_and_load_cert(
  
File "C:\Python\lib\site-packages\paramiko\pkey.py", line 622, in _check_type_and_load_cert
    raise SSHException(err.format(self.__class__.__name__, type_))
paramiko.ssh_exception.SSHException: Invalid key (class: RSAKey, data type: rsa-sha2-256

Paramiko 记录失败的系统：-

DEBUG:paramiko.transport:starting thread (client mode): 0xf6286260
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.9.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-Mocana SSH
INFO:paramiko.transport:Connected (version 2.0, client Mocana)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
DEBUG:paramiko.transport:server key: rsa-sha2-256, ssh-rsa
DEBUG:paramiko.transport:client encrypt: aes128-ctr, aes128-cbc, rijndael128-cbc, aes256-ctr, aes256-cbc, rijndael256-cbc, aes192-ctr, aes192-cbc, rijndael192-cbc, 3des-cbc
DEBUG:paramiko.transport:server encrypt: aes128-ctr, aes128-cbc, rijndael128-cbc, aes256-ctr, aes256-cbc, rijndael256-cbc, aes192-ctr, aes192-cbc, rijndael192-cbc, 3des-cbc
DEBUG:paramiko.transport:client mac: hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96
DEBUG:paramiko.transport:server mac: hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96
DEBUG:paramiko.transport:client compress: none
DEBUG:paramiko.transport:server compress: none
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: diffie-hellman-group14-sha1
DEBUG:paramiko.transport:HostKey: rsa-sha2-256
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
ERROR:paramiko.transport:Exception (client): Invalid key (class: RSAKey, data type: rsa-sha2-256
ERROR:paramiko.transport:Traceback (most recent call last):
ERROR:paramiko.transport:  File "C:\Python\lib\site-packages\paramiko\transport.py", line 2129, in run
ERROR:paramiko.transport:    self.kex_engine.parse_next(ptype, m)
ERROR:paramiko.transport:  File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 75, in parse_next
ERROR:paramiko.transport:    return self._parse_kexdh_reply(m)
ERROR:paramiko.transport:  File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 120, in _parse_kexdh_reply
ERROR:paramiko.transport:    self.transport._verify_key(host_key, sig)
ERROR:paramiko.transport:  File "C:\Python\lib\site-packages\paramiko\transport.py", line 1937, in _verify_key
ERROR:paramiko.transport:    key = self._key_info[self.host_key_type](Message(host_key))
ERROR:paramiko.transport:  File "C:\Python\lib\site-packages\paramiko\rsakey.py", line 71, in __init__
ERROR:paramiko.transport:    self._check_type_and_load_cert(
ERROR:paramiko.transport:  File "C:\Python\lib\site-packages\paramiko\pkey.py", line 622, in _check_type_and_load_cert
ERROR:paramiko.transport:    raise SSHException(err.format(self.__class__.__name__, type_))
ERROR:paramiko.transport:paramiko.ssh_exception.SSHException: Invalid key (class: RSAKey, data type: rsa-sha2-256
ERROR:paramiko.transport:
Traceback (most recent call last):
  File "C:\Users\EV_PG\Desktop\AMDXIO Script\Test.py", line 28, in <module>
    ssh.connect(PDUipaddr, port=PDUport, username=PDUusrname, password=PDUusrpass)
  File "C:\Python\lib\site-packages\paramiko\client.py", line 406, in connect
    t.start_client(timeout=timeout)
  File "C:\Python\lib\site-packages\paramiko\transport.py", line 698, in start_client
    raise e
  File "C:\Python\lib\site-packages\paramiko\transport.py", line 2129, in run
    self.kex_engine.parse_next(ptype, m)
  File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 75, in parse_next
    return self._parse_kexdh_reply(m)
  File "C:\Python\lib\site-packages\paramiko\kex_group1.py", line 120, in _parse_kexdh_reply
    self.transport._verify_key(host_key, sig)
  File "C:\Python\lib\site-packages\paramiko\transport.py", line 1937, in _verify_key
    key = self._key_info[self.host_key_type](Message(host_key))
  File "C:\Python\lib\site-packages\paramiko\rsakey.py", line 71, in __init__
    self._check_type_and_load_cert(
  File "C:\Python\lib\site-packages\paramiko\pkey.py", line 622, in _check_type_and_load_cert
    raise SSHException(err.format(self.__class__.__name__, type_))
paramiko.ssh_exception.SSHException: Invalid key (class: RSAKey, data type: rsa-sha2-256

Paramiko 测井传递系统：-

DEBUG:paramiko.transport:starting thread (client mode): 0x300e2020
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.8.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-Mocana SSH
INFO:paramiko.transport:Connected (version 2.0, client Mocana)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['rsa-sha2-256', 'ssh-rsa'] client encrypt:['aes128-ctr', 'aes128-cbc', 'rijndael128-cbc', 'aes256-ctr', 'aes256-cbc', 'rijndael256-cbc', 'aes192-ctr', 'aes192-cbc', 'rijndael192-cbc', '3des-cbc'] server encrypt:['aes128-ctr', 'aes128-cbc', 'rijndael128-cbc', 'aes256-ctr', 'aes256-cbc', 'rijndael256-cbc', 'aes192-ctr', 'aes192-cbc', 'rijndael192-cbc', '3des-cbc'] client mac:['hmac-sha2-256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] server mac:['hmac-sha2-256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group14-sha1
DEBUG:paramiko.transport:HostKey agreed: ssh-rsa
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexGroup14 specified hash_algo <built-in function openssl_sha1>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for [10.47.7.42]:22: b'5289cb302fda3e4cfb5c6382c85916f9'
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Auth banner: b'+============================================================================+\r\n|                      EATON ePDU Configuration Utility                      |\r\n+============================================================================+\r\n'
INFO:paramiko.transport:Authentication (password) successful!
PDU Connection Successful
B2B & R2R Completed... Check Logfiles.
DEBUG:paramiko.transport:EOF in transport thread

Answer 1

您在两台机器上使用不同版本的 Paramiko。故障机器使用较新的 2.9.1。 Paramiko 2.9 added support for rsa-sha2-256 keys。您的服务器也支持这些，因此 Paramiko 和服务器同意使用它们。而旧版 Paramiko 2.8.1 的机器使用 ssh-rsa 键。

但是rsa-sha2-256 键似乎出了点问题。我说不出该怪谁。它可能是 Paramiko 中新的 rsa-sha2-256 实现中的错误。但这也可能是服务器中的错误，因为您使用的是一些较小的 (Mocana SSH) 服务器，可能没有经过很好的测试。

---

无论如何，您应该能够通过避免使用rsa-sha2-256 键来绕过该问题：

ssh.connect(PDUipaddr, port=PDUport, username=PDUusrname, password=PDUusrpass,
   disabled_algorithms=dict(pubkeys=["rsa-sha2-256"]))

请注意，此类代码不会在装有 Paramiko 2.8.1 的机器上运行，因为 disabled_algorithms 仅在 2.9 中添加。