Paramiko authentication fails with “Agreed upon ‘rsa-sha2-512’ pubkey algorithm” (and “unsupported public key algorithm: rsa-sha2-512” in sshd log)

by

Imo, it’s a bug in Paramiko. It does not handle correctly absence of server-sig-algs extension on the server side.

Try disabling rsa-sha2-* on Paramiko side altogether:

ssh_client.connect(
  server, username=ssh_user, key_filename=ssh_keypath,
  disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]))

(note that there’s no need to specify port=22, as that’s the default)

I’ve found related Paramiko issue:
RSA key auth failing from paramiko 2.9.x client to dropbear server

Though it refers to Paramiko 2.9.0 change log, which seems to imply that the behavior is deliberate:

When the server does not send server-sig-algs, Paramiko will attempt the first algorithm in the above list. Clients connecting to legacy servers should thus use disabled_algorithms to turn off SHA2.

Since 2.9.2, Paramiko will say:

DEB [20220113-14:46:13.882] thr=1 paramiko.transport: Server did not send a server-sig-algs list; defaulting to our first preferred algo (‘rsa-sha2-512’)
DEB [20220113-14:46:13.882] thr=1 paramiko.transport: NOTE: you may use the ‘disabled_algorithms’ SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!

Obligatory warning: Do not use AutoAddPolicy – You are losing a protection against MITM attacks by doing so. For a correct solution, see Paramiko “Unknown Server”.

Your code for waiting for command to complete and reading its output is flawed too. See Wait to finish command executed with Python Paramiko. And for most purposes, the get_pty=True is not a good idea either.

More Related Contents:

  1. Pass input/variables to command/script over SSH using Python Paramiko
  2. Executing command using “su -l” in SSH using Python
  3. Some Unix commands fail with ” not found”, when executed using Python Paramiko exec_command
  4. Environment variable differences when using Paramiko
  5. How to use Paramiko logging?
  6. What is the simplest way to SSH using Python?
  7. Paramiko ssh die/hang with big output
  8. mysql_config not found when installing mysqldb python interface
  9. What is the difference between exec_command and send with invoke_shell() on Paramiko?
  10. Command executed with Paramiko does not produce any output
  11. Python Paramiko – Run command
  12. Python – pysftp / paramiko – Verify host key using its fingerprint
  13. Read a file from server with SSH using Python
  14. Port forwarding with Paramiko
  15. Paramiko and Pseudo-tty Allocation
  16. Multi-factor authentication (password and key) with Paramiko
  17. Automate ssh connection and execution of program with Python’s Paramiko
  18. Long-running ssh commands in python paramiko module (and how to end them)
  19. Running Sudo Command with paramiko
  20. Sending a password over SSH or SCP with subprocess.Popen
  21. Run multiple commands in different SSH servers in parallel using Python Paramiko
  22. Fetching the output of a command executed through os.system() command [duplicate]
  23. Password authentication in Python Paramiko fails, but same credentials work in SSH/SFTP client
  24. Execute multiple dependent commands individually with Paramiko and find out when each command finishes
  25. Execute (sub)commands in secondary shell/command on SSH server in Python Paramiko
  26. Paramiko: read from standard output of remotely executed command
  27. How can you get the SSH return code using Paramiko?
  28. Wait until task is completed on Remote Machine through Python [duplicate]
  29. List files on SFTP server matching wildcard in Python using Paramiko
  30. python paramiko ssh

Leave a Comment