Verify host key with pysftp

by

The pysftp has some bugs regarding host key handling, as described below. It also seems that the pysftp project was abandoned. Consider using Paramiko directly instead. The pysftp is just a wrapper on top of Paramiko and it does not add anything really significant. See pysftp vs. Paramiko.

For handling of host keys in Paramiko, see:
Paramiko “Unknown Server”

If you want to keep using pysftp, do not set cnopts.hostkeys = None (as the second most upvoted answer shows), unless you do not care about security. You lose a protection against Man-in-the-middle attacks by doing so.

Use CnOpts.hostkeys (returns HostKeys) to manage trusted host keys.

cnopts = pysftp.CnOpts(knownhosts="known_hosts")

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

where the known_hosts contains a server public key(s)] in a format like:

example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

If you do not want to use an external file, you can also use

from base64 import decodebytes
# ...

keydata = b"""AAAAB3NzaC1yc2EAAAADAQAB..."""
key = paramiko.RSAKey(data=decodebytes(keydata))
cnopts = pysftp.CnOpts()
cnopts.hostkeys.add('example.com', 'ssh-rsa', key)

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

Though as of pysftp 0.2.9, this approach will issue a warning, what seems like a bug:
“Failed to load HostKeys” warning while connecting to SFTP server with pysftp

An easy way to retrieve the host key in the needed format is using OpenSSH ssh-keyscan:

$ ssh-keyscan example.com
# example.com SSH-2.0-OpenSSH_5.3
example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

(due to a bug in pysftp, this does not work, if the server uses non-standard port – the entry starts with [example.com]:port + beware of redirecting ssh-keyscan to a file in PowerShell)

You can also make the application do the same automatically:
Use Paramiko AutoAddPolicy with pysftp
(It will automatically add host keys of new hosts to known_hosts, but for known host keys, it will not accept a changed key)

Though for an absolute security, you should not retrieve the host key remotely, as you cannot be sure, if you are not being attacked already.

See my article Where do I get SSH host key fingerprint to authorize the server?
It’s for my WinSCP SFTP client, but most information there is valid in general.

If you need to verify the host key using its fingerprint only, see Python – pysftp / paramiko – Verify host key using its fingerprint.

More Related Contents:

  1. How to ssh connect through Python Paramiko with ppk public key
  2. Python – pysftp / paramiko – Verify host key using its fingerprint
  3. “Failed to load HostKeys” warning while connecting to SFTP server with pysftp
  4. How to scp in Python?
  5. Is there a simple way to get rid of junk values that come when you SSH using Python’s Paramiko library and fetch output from CLI of a remote machine?
  6. Some Unix commands fail with ” not found”, when executed using Python Paramiko exec_command
  7. Environment variable differences when using Paramiko
  8. How to copy a file to a remote server in Python using SCP or SSH?
  9. Paramiko ssh die/hang with big output
  10. mysql_config not found when installing mysqldb python interface
  11. Nested SSH using Python Paramiko
  12. Running interactive commands in Paramiko
  13. Executing command using Paramiko exec_command on device is not working
  14. Reading file opened with Python Paramiko SFTPClient.open method is slow
  15. Command executed with Paramiko does not produce any output
  16. Read a file from server with SSH using Python
  17. Run local python script on remote server
  18. How to list all the folders and files in the directory after connecting through SFTP in Python
  19. Run multiple commands in different SSH servers in parallel using Python Paramiko
  20. Password authentication in Python Paramiko fails, but same credentials work in SSH/SFTP client
  21. Executing command using “su -l” in SSH using Python
  22. Execute command and wait for it to finish with Python Paramiko
  23. Implement an interactive shell over ssh in Python using Paramiko?
  24. How to run sudo with Paramiko? (Python)
  25. Paramiko authentication fails with “Agreed upon ‘rsa-sha2-512’ pubkey algorithm” (and “unsupported public key algorithm: rsa-sha2-512” in sshd log)
  26. Recursive directory download with Paramiko?
  27. How to create a SSH tunnel using Python and Paramiko?
  28. Paramiko: read from standard output of remotely executed command
  29. How can you get the SSH return code using Paramiko?
  30. Why does Paramiko hang if you use it while loading a module?

Leave a Comment