I corrected a few copy and paste errors below that may have been confusing...
-----Original Message----- From: fab-user-bounces+ashbyj=imsweb....@nongnu.org [mailto:fab-user-bounces+ashbyj=imsweb....@nongnu.org] On Behalf Of Ashby, Jason (IMS) Sent: Thursday, June 28, 2012 9:47 AM To: Jeff Forcier Cc: fab-user@nongnu.org Subject: Re: [Fab-user] Loading system known_hosts file Thanks for the reply Jeff. Running a debug on the sshd server-side was very helpful. I can see that when I connect with the ssh client from my shell, the client requests a connection method of 'none' and then 'hostbased'. Fabric (or Paramiko) seems to request publickey right off the bat. Is there any way I can specify hostbased as the preferred connection method? Is it possible to set Paramiko settings in my fabfile? Successful login................ root@mainhost:~> ssh -t -i /etc/ssh/ssh_host_rsa_key foohost uname -s root@foohost:~> /usr/sbin/sshd -d ...snip... debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "root" debug1: userauth-request for user root service ssh-connection method hostbased debug1: attempt 1 failures 0 debug1: userauth_hostbased: cuser root chost mainhost. pkalg ssh-dss slen 55 debug1: PAM: setting PAM_RHOST to " mainhost" debug1: PAM: setting PAM_TTY to "ssh" debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: fd 4 clearing O_NONBLOCK debug1: restore_uid: 0/0 Failed hostbased for root from 172.x.x.x port 54623 ssh2 debug1: userauth-request for user root service ssh-connection method hostbased debug1: attempt 2 failures 1 debug1: userauth_hostbased: cuser root chost mainhost. pkalg ssh-rsa slen 271 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: fd 4 clearing O_NONBLOCK debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct debug1: do_pam_account: called Accepted hostbased for root from 172.x.x.x port 54623 ssh2 Unsuccessful login via Fabric................ root@mainhost:~ > fab test root@foohost:~> /usr/sbin/sshd -d ...snip... debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 0 failures 0 debug1: PAM: initializing for "root" debug1: PAM: setting PAM_RHOST to "mainhost" debug1: PAM: setting PAM_TTY to "ssh" debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for root from 172.x.x.x port 54630 ssh2 -----Original Message----- From: bitprop...@gmail.com [mailto:bitprop...@gmail.com] On Behalf Of Jeff Forcier Sent: Wednesday, June 27, 2012 2:12 PM To: Ashby, Jason (IMS) Cc: fab-user@nongnu.org Subject: Re: [Fab-user] Loading system known_hosts file Hi Jason, Fabric should be doing this correctly, and if you check your debug output, you'll notice that it appears to be using the right key: > DEBUG:ssh.transport:Trying key 2d84d6f8af827bd2008aa7e8009fb3765 from > /etc/ssh/ssh_host_rsa_key > > DEBUG:ssh.transport:userauth is OK > > INFO:ssh.transport:Authentication (publickey) failed. What this means is the server rejected that key for some reason. There's no way to tell without enabling debug output on the server sshd, restarting it, trying again & then checking the server's sshd or auth logs. Have you tried using this key with regular 'ssh' before? E.g.: ssh -t -i /etc/ssh/ssh_host_rsa_key myhost uname -s Which is roughly equivalent to what Fabric is doing here. Good luck, Jeff On Wed, Jun 27, 2012 at 8:39 AM, Ashby, Jason (IMS) <ash...@imsweb.com> wrote: > Hi, > > Is it possible for Fabric to use the "system" known hosts and key file found > in /etc/ssh/ssh_known_hosts? We keep all of our host keys in > /etc/ssh/ssh_known_hosts and not in individual user's home dirs. (~/.ssh). > > > > I've tried the following env settings: > > > > env.use_ssh_config = True > > env.ssh_config_path = '/etc/ssh/ssh_config' > > env.key_filename = '/etc/ssh/ssh_host_rsa_key' > > > > However, I'm still prompted for a password. I can hostbased SSH from > mainhost to foohost without a password as root when testing from the Linux > command line. Here is some debug output: > > > > root@mainhost:~ > fab test > > [foohost] Executing task 'test' > > [foohost] run: uname -s > > DEBUG:ssh.transport:starting thread (client mode): 0x26f2890L > > INFO:ssh.transport:Connected (version 1.99, client OpenSSH_5.1) > > DEBUG:ssh.transport:kex algos:['diffie-hellman-group-exchange-sha256', > 'diffie-hellman-group-exchange-sha1', 'diffie > -hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', > 'ssh-dss'] client encrypt:['aes128-cbc' , '3des-cbc', > 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', > 'aes192-cbc', 'aes256-cbc', 'rij > ndael-...@lysator.liu.se', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] server > encrypt:['aes128-cbc', '3des-cbc', 'blow fish-cbc', > 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', > 'aes256-cbc', 'rijndael-cbc@lysator.l iu.se', > 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] client mac:['hmac-md5', > 'hmac-sha1', 'umac...@openssh.com', 'hmac- ripemd160', > 'hmac-ripemd...@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server > mac:['hmac-md5', 'hmac-sha1', 'umac- 6...@openssh.com', > 'hmac-ripemd160', 'hmac-ripemd...@openssh.com', 'hmac-sha1-96', > 'hmac-md5-96'] client compress:['no ne', > 'z...@openssh.com', 'zlib'] server compress:['none', 'z...@openssh.com', > 'zlib'] client lang:[''] server lang:[ ''] kex > follows?False > > DEBUG:ssh.transport:Ciphers agreed: local=aes128-ctr, remote=aes128-ctr > > DEBUG:ssh.transport:using kex diffie-hellman-group1-sha1; server key type > ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; > mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none > > DEBUG:ssh.transport:Switch to new keys ... > > DEBUG:ssh.transport:Trying key 2d84d6f8af827bd2008aa7e8009fb3765 from > /etc/ssh/ssh_host_rsa_key > > DEBUG:ssh.transport:userauth is OK > > INFO:ssh.transport:Authentication (publickey) failed. > > [foohost] Login password for 'root': > > > > > > FYI, the test function is just: > > > > def test(): > > run('uname -s') > > > > > > VERSION INFO: > > root@ mainhost:~> fab --version > > Fabric 1.4.2 > > ssh (library) 1.7.14 > > > > Thanks for your help! > > > ________________________________ > > Information in this e-mail may be confidential. It is intended only for the > addressee(s) identified above. If you are not the addressee(s), or an > employee or agent of the addressee(s), please note that any dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this e-mail in error, please notify the sender of the > error. > > _______________________________________________ > Fab-user mailing list > Fab-user@nongnu.org > https://lists.nongnu.org/mailman/listinfo/fab-user > -- Jeff Forcier Unix sysadmin; Python/Ruby engineer http://bitprophet.org ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error. _______________________________________________ Fab-user mailing list Fab-user@nongnu.org https://lists.nongnu.org/mailman/listinfo/fab-user ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error. _______________________________________________ Fab-user mailing list Fab-user@nongnu.org https://lists.nongnu.org/mailman/listinfo/fab-user
