From jdsw2002 at yahoo.com Sat Sep 1 00:14:23 2007 From: jdsw2002 at yahoo.com (jd) Date: Sat, 1 Sep 2007 00:14:23 -0700 (PDT) Subject: [paramiko] Intermittent problem (no attachments) In-Reply-To: <46D32F14.8070506@activestate.com> Message-ID: <28814.43976.qm@web35806.mail.mud.yahoo.com> After very long debugging and tracing session.. I have been able to capture the behavior in traces. I have filed the following bug https://bugs.launchpad.net/paramiko/+bug/136532 Would really appreciate if someone can take a look and suggest workaround/patch. Thanks /Jd --- Todd Whiteman wrote: > Hi Jd, > > First off, does this problem also exist when using > the latest paramiko > release (1.7.1): > http://www.lag.net/paramiko/ > > Todd. > > jd wrote: > > Hi > > I had sent this email, but is waiting for > approval > > as the attached sources seems to cross the limit > of > > the distribution list. > > Can the owner kindly approve the message with > files. > > does anyone have tips/pointers to resolve this ? > > Thanks > > /Jd > > > > --- jd wrote: > > > >> Hi Everyone. > >> I have written a ssh tunnel transport for > >> XML-RPC. > >> It seems to work pretty good, but has > intermittent > >> failures. > >> > >> It seems that the client/parser missed the first > >> chunk of data from the server. > >> > >> This does not happen when I use the normal > xml-rpc > >> over http. so I am assuming that the server is > ok. > >> > >> Attached is test program that reproduces the > >> problem. > >> Environment is FC7, python 2.5, > >> python-paramiko-1.6.4-1.fc7, Xen 3.1 > >> > >> Can someone spot something wrong which might be > >> causing this ? Or some paramiko tweak that might > be > >> useful in this scenario. > >> > >> Any other ideas on how to narrow down the problem > >> are > >> welcome. > >> > >> Thanks > >> /Jd > >> > >> === Attached description of files === > >> phelper.py : Just some utility wrapper over > paramiko > >> lib. > >> test_proxy.py : simple driver program that > >> reproduces > >> the problem. > >> test_output : output : 2 out of N tries succeed. > >> XenServreProxy.py : Proxy that implements the > >> paramiko > >> transport for XML-RPC. > >> > >> > >> > >> > >> > >> > >> > > > ____________________________________________________________________________________ > >> Sick sense of humor? Visit Yahoo! TV's > >> Comedy with an Edge to see what's on, when. > >> http://tv.yahoo.com/collections/222> > #!/usr/bin/env > > python > >> # > >> # XenMan - Copyright (c) 2007 Jd & Hap > Hazard > >> # ====== > >> # > >> # XenMan is a Xen management tool with a GTK > based > >> graphical interface > >> # that allows for performing the standard set of > >> domain operations > >> # (start, stop, pause, kill, shutdown, reboot, > >> snapshot, etc...). It > >> # also attempts to simplify certain aspects such > as > >> the creation of > >> # domains, as well as making the consoles > available > >> directly within the > >> # tool's user interface. > >> # > >> # > >> # This software is subject to the GNU Lesser > General > >> Public License (LGPL) > >> # and for details, please consult it at: > >> # > >> # > http://www.fsf.org/licensing/licenses/lgpl.txt > >> # > >> # author : Jd > >> # > >> > >> import paramiko > >> from paramiko import SSHException > >> import os, sys > >> import getpass > >> import socket > >> > >> """Paramiko helper class. Provides common > functions > >> as > >> -- validating host keys, > >> -- initializing a new transport, > >> -- agent based and password based > authentication > >> etc. > >> """ > >> class HostValidationException(Exception): > >> def __init__(self, errno, description): > >> self.errno = errno > >> self.description = description > >> > >> def __repr__(self): > >> return "[Error %s], %s" % (self.errno, > >> self.description) > >> > >> def __str__(self): > >> return self.__repr__() > >> > >> class AuthenticationException(Exception): > >> def __init__(self, errno, description): > >> self.errno = errno > >> self.description = description > >> > >> def __repr__(self): > >> return "[Error %s], %s" % (self.errno, > >> self.description) > >> > >> def __str__(self): > >> return self.__repr__() > >> > >> > >> class CommunicationException(Exception): > >> def __init__(self, errno, description): > >> self.errno = errno > >> self.description = description > >> > >> def __repr__(self): > >> return "[Error %s], %s" % (self.errno, > >> self.description) > >> > >> def __str__(self): > >> return self.__repr__() > >> > >> > >> > >> class PHelper: > >> > >> host_keys = {} > >> > >> # credential helper > >> credentials_helper = None > >> > >> ## The credendital helper needs to > >> get_credentials(hostname) method > >> ## to return credentials > >> ## the object returned should: > >> ## get_username() and get_password() > methods > >> ## This would be used when the transport can > not > >> be initialized > >> ## using given methods > >> > >> @classmethod > >> def set_credentials_helper(cls, cred_helper): > >> """ Set the helper class""" > >> cls.credentials_helper = cred_helper > >> > >> > >> @classmethod > >> def load_keys(cls): > >> # TODO : May be we need to load > >> /etc/ssh/known_hosts and merge it here. > >> try: > >> path = > >> os.path.expanduser('~/.ssh/known_hosts') > >> cls.host_keys = > >> paramiko.util.load_host_keys(path) > >> except IOError: > === message truncated === ____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 From robey at lag.net Sat Sep 1 01:44:33 2007 From: robey at lag.net (Robey Pointer) Date: Sat, 1 Sep 2007 01:44:33 -0700 Subject: [paramiko] Intermittent problem (no attachments) In-Reply-To: <789083.6587.qm@web35815.mail.mud.yahoo.com> References: <789083.6587.qm@web35815.mail.mud.yahoo.com> Message-ID: On 27 Aug 2007, at 12:05, jd wrote: > Hi > I had sent this email, but is waiting for approval > as the attached sources seems to cross the limit of > the distribution list. Sorry, I don't monitor the "unapproved" messages for this list because, thanks to spammers, it gets hundreds of those a month. If it's a large attachment, it might be better to post it to a website anyway. Can you post what paramiko logs when the connection is terminated abruptly? Either here or in the bug you just filed. robey From jdsw2002 at yahoo.com Mon Sep 10 15:16:42 2007 From: jdsw2002 at yahoo.com (jd) Date: Mon, 10 Sep 2007 15:16:42 -0700 (PDT) Subject: [paramiko] Multi-Threading and paramiko Message-ID: <828418.69133.qm@web35810.mail.mud.yahoo.com> Hi everyone, I remember reading somewhere.. that paramiko is thread safe library and can be used in multi-threaded programs. Can some one please confirm it. I can not spot that in to doc. Are there any restrictions / required affinity between paramiko objects (transport / channel ) and threads in which they are used ? I am using paramiko in multi-threaded pygtk program.. and sometimes I do see "Garbled package" error. (donot have stack handy) Any tips / caution /word of wisdom ? Any insight would help me adjust my code. Thanks in advance. /Jd ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 From dmorilha at gmail.com Mon Sep 10 16:04:24 2007 From: dmorilha at gmail.com (Daniel Morilha) Date: Mon, 10 Sep 2007 20:04:24 -0300 Subject: [paramiko] Paramiko performance doubts In-Reply-To: <7a8c67790709030803n53fb348bm40eaa8a37b8a6fbc@mail.gmail.com> References: <7a8c67790709030803n53fb348bm40eaa8a37b8a6fbc@mail.gmail.com> Message-ID: <7a8c67790709101604y5e2ea296r9f08b5b1bee0818d@mail.gmail.com> Hello everyone, I developed a solution using paramiko and a similar Telnetlib class to access a several number of network devices in replacement of using Pexpect library and openssh client. It worked so well but the bad performance made me think in how to improve Paramiko. Is there some way to do that, for example using some C extension or even other library? I would like to continue using Paramiko, but in production environment it could be compiled in a different way. Is this possible? Maybe using pyOpenSSL library. If someone could help me I would appreciate that, Thanks, -- Daniel Morilha (dmorilha at gmail.com ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20070910/c397c214/attachment.html From jdsw2002 at yahoo.com Tue Sep 11 11:07:46 2007 From: jdsw2002 at yahoo.com (jd) Date: Tue, 11 Sep 2007 11:07:46 -0700 (PDT) Subject: [paramiko] Garbled packet in SFTPClient Message-ID: <420427.69814.qm@web35813.mail.mud.yahoo.com> Filed a bug with stack trace and paramiko log. https://bugs.launchpad.net/paramiko/+bug/138944 Any idea on why this might be happening or Anything I can do to prevent it ? Thanks /Jd ____________________________________________________________________________________ Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433 From skolesys at gmail.com Wed Sep 12 03:28:02 2007 From: skolesys at gmail.com (SkoleSYS SkoleSYS) Date: Wed, 12 Sep 2007 12:28:02 +0200 Subject: [paramiko] port forwarding question Message-ID: <3b9f01ae0709120328o1f4e04c3l45010bd5ed6631a4@mail.gmail.com> Hi. My question is pretty simpel - can I do this using paramiko: ssh -l someone -L 10000:some-machine.some.domain.org:22 some.domain.org Paramiko seems to be a large library and I just don't know where to start. open_forwarded_tcpip_channel seems to be the method I am looking for, but I'm not really sure how to use it, and I can't find any examples :-( I really hope someone can help. Best regards Jakob Simon-Gaarde -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20070912/0934a776/attachment.htm From robey at lag.net Fri Sep 14 19:28:04 2007 From: robey at lag.net (Robey Pointer) Date: Fri, 14 Sep 2007 19:28:04 -0700 Subject: [paramiko] Multi-Threading and paramiko In-Reply-To: <828418.69133.qm@web35810.mail.mud.yahoo.com> References: <828418.69133.qm@web35810.mail.mud.yahoo.com> Message-ID: <0242F9B6-ABC8-4CC4-9293-68EB05F0C523@lag.net> On 10 Sep 2007, at 15:16, jd wrote: > Hi everyone, > > I remember reading somewhere.. that paramiko is thread > safe library and can be used in multi-threaded > programs. > > Can some one please confirm it. I can not spot that in > to doc. That's correct. Paramiko is thread-safe and uses threads internally. > Are there any restrictions / required affinity between > paramiko objects (transport / channel ) and threads in > which they are used ? No, you should be able to call into paramiko from any thread. You still need to be careful about synchronizing your own data structures, though. When you open a new Transport in paramiko, it creates a thread devoted to handling incoming data. The incoming data is parsed and, if it's data for an open channel, the data is dropped into a buffer for that channel. If any thread is waiting for data on that channel, it will immediately be woken up. One way to envision this is that you can open a Transport and Channel within one thread, then immediately block on a read() call on that channel. When the data arrives, the paramiko thread for that Transport will drop it into the buffer for that channel, wake up the thread blocked in read(), and that thread will immediately pull data from the buffer and return. robey From robey at lag.net Fri Sep 14 19:31:41 2007 From: robey at lag.net (Robey Pointer) Date: Fri, 14 Sep 2007 19:31:41 -0700 Subject: [paramiko] port forwarding question In-Reply-To: <3b9f01ae0709120328o1f4e04c3l45010bd5ed6631a4@mail.gmail.com> References: <3b9f01ae0709120328o1f4e04c3l45010bd5ed6631a4@mail.gmail.com> Message-ID: <18D18B8C-2BA5-497D-B416-88770425D698@lag.net> On 12 Sep 2007, at 3:28, SkoleSYS SkoleSYS wrote: > Hi. > My question is pretty simpel - can I do this using paramiko: > > ssh -l someone -L 10000: some-machine.some.domain.org:22 > some.domain.org > > Paramiko seems to be a large library and I just don't know where to > start. > > open_forwarded_tcpip_channel seems to be the method I am looking > for, but > I'm not really sure how to use it, and I can't find any examples :-( That method is for the equivalent of the "-R" option, which is a little more complex. The demo script "demos/forward.py" should do exactly what you want. robey -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20070914/cdc168c9/attachment.htm From robey at lag.net Fri Sep 14 19:34:55 2007 From: robey at lag.net (Robey Pointer) Date: Fri, 14 Sep 2007 19:34:55 -0700 Subject: [paramiko] Paramiko performance doubts In-Reply-To: <7a8c67790709101604y5e2ea296r9f08b5b1bee0818d@mail.gmail.com> References: <7a8c67790709030803n53fb348bm40eaa8a37b8a6fbc@mail.gmail.com> <7a8c67790709101604y5e2ea296r9f08b5b1bee0818d@mail.gmail.com> Message-ID: <44D46F78-271E-4755-8444-ABF884B67681@lag.net> On 10 Sep 2007, at 16:04, Daniel Morilha wrote: > Hello everyone, > > I developed a solution using paramiko and a similar Telnetlib class to > access a several number of network devices in replacement of using > Pexpect library and openssh client. It worked so well but the bad > performance made me think in how to improve Paramiko. > > Is there some way to do that, for example using some C extension or > even other library? I would like to continue using Paramiko, but in > production environment it could be compiled in a different way. Is > this possible? Maybe using pyOpenSSL library. Paramiko already uses pycrypto, so the crypto code is already in C. There's going to be extra overhead for opening an encrypted tunnel (vs. cleartext telnet pipe) to a machine, and it's unfortunately unavoidable. Setting up an SSL or SSH transport involves several round-trips of handshaking at the start, which can be painful on high- latency links (speaking from experience) but most of it really is required to make the security aspect work. robey From skolesys at gmail.com Mon Sep 17 06:29:57 2007 From: skolesys at gmail.com (SkoleSYS SkoleSYS) Date: Mon, 17 Sep 2007 15:29:57 +0200 Subject: [paramiko] port forwarding question In-Reply-To: <18D18B8C-2BA5-497D-B416-88770425D698@lag.net> References: <3b9f01ae0709120328o1f4e04c3l45010bd5ed6631a4@mail.gmail.com> <18D18B8C-2BA5-497D-B416-88770425D698@lag.net> Message-ID: <3b9f01ae0709170629w587eadf8qa413fdbf2f3821ce@mail.gmail.com> You are so right - thanks! Best regards Jakob 2007/9/15, Robey Pointer : > > On 12 Sep 2007, at 3:28, SkoleSYS SkoleSYS wrote: > > Hi. > My question is pretty simpel - can I do this using paramiko: > > ssh -l someone -L 10000: some-machine.some.domain.org:22 some.domain.org > > > Paramiko seems to be a large library and I just don't know where to start. > > open_forwarded_tcpip_channel seems to be the method I am looking for, but > I'm not really sure how to use it, and I can't find any examples :-( > > > That method is for the equivalent of the "-R" option, which is a little > more complex. > > The demo script "demos/forward.py" should do exactly what you want. > > robey > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20070917/2a02243a/attachment.htm From jdsw2002 at yahoo.com Wed Sep 19 10:11:16 2007 From: jdsw2002 at yahoo.com (jd) Date: Wed, 19 Sep 2007 10:11:16 -0700 (PDT) Subject: [paramiko] Paramiko hang another instance. Message-ID: <14400.7593.qm@web35805.mail.mud.yahoo.com> Hi Everyone, Sorry to bug you guys again. Hope to get a quick response on this one. I am running in to the following hang.. can someone please elaborate what might be going on ? Basically Thread 6 is in __socket.recv in packet.py, while all other thread seems to be waiting on it. Why would recv block and not respect any timeouts ? or should other thread be waiting, trying to create new SFTPClient ? Thanks in advance. /Jd ---- background. Transport created in main thread. Per thread SFTPClient gets created. (This was required to get around garbled packets and hangs) From robey at lag.net Sun Sep 23 23:37:32 2007 From: robey at lag.net (Robey Pointer) Date: Sun, 23 Sep 2007 23:37:32 -0700 Subject: [paramiko] Paramiko hang another instance. In-Reply-To: <14400.7593.qm@web35805.mail.mud.yahoo.com> References: <14400.7593.qm@web35805.mail.mud.yahoo.com> Message-ID: On 19 Sep 2007, at 10:11, jd wrote: > I am running in to the following hang.. can someone > please elaborate what might be going on ? > > Basically Thread 6 is in __socket.recv in packet.py, > while all other thread seems to be waiting on it. > > Why would recv block and not respect any timeouts ? or > should other thread be waiting, trying to create new > SFTPClient ? A timeout is set on each python-level socket inside the Transport, so nothing should be blocking in __socket.recv for more than about 0.1 second before a timeout occurs. You might check strace to see what else is going on. robey From joe.powell at lmco.com Thu Sep 27 09:42:59 2007 From: joe.powell at lmco.com (Powell, Joe) Date: Thu, 27 Sep 2007 12:42:59 -0400 Subject: [paramiko] automated public key auth as another user Message-ID: Hello. First, I would like to thank you for developing paramiko. My question is, using paramiko, how can I login to a system using public key (passwordless) authentication as another user without having to create that user on my system. I have copied another user's private key to my ~/.ssh folder with a name such as "another_user.id_rsa" and successfully used that as the private key to log in as "another_user", but I had to create "another_user" and its key first. I am writing a script in which I need to log in to numberous different systems each with a different userid--and I would much prefer to not have to create each of these userids on my system just so I can create a key for it. It is specified that WE must initiate all transfers, so it is not a solution for them to give us their key and login to our system. Thank you for any help you can provide. Regards, Joe Powell -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20070927/981a872c/attachment.htm From toddw at activestate.com Thu Sep 27 13:04:57 2007 From: toddw at activestate.com (Todd Whiteman) Date: Thu, 27 Sep 2007 13:04:57 -0700 Subject: [paramiko] automated public key auth as another user In-Reply-To: References: Message-ID: <46FC0CE9.2070705@activestate.com> Powell, Joe wrote: > Hello. First, I would like to thank you for developing paramiko. My > question is, using paramiko, how can I login to a system using public > key (passwordless) authentication as another user without having to > create that user on my system. You should never have to create the user on the local machine in order to log into a remote machine. That sounds strange. > I have copied another user's private key > to my ~/.ssh folder with a name such as "another_user.id_rsa" and > successfully used that as the private key to log in as "another_user", > but I had to create "another_user" and its key first. I am writing a > script in which I need to log in to numberous different systems each > with a different userid--and I would much prefer to not have to create > each of these userids on my system just so I can create a key for it. It > is specified that WE must initiate all transfers, so it is not a > solution for them to give us their key and login to our system. > > Thank you for any help you can provide. > Regards, > Joe Powell > If you download the paramiko zip file, you'll notice that it contains a demos subfolder with the file "demos/demo.py", which demonstrates how to use SSH keys to log in to a remote system. Paramiko lets you choose which SSH keys to load, so it should be quite straight forward to load the specified user's key and then log in to the remote system for that particular user. Cheers, Todd From joe.powell at lmco.com Fri Sep 28 07:19:44 2007 From: joe.powell at lmco.com (Powell, Joe) Date: Fri, 28 Sep 2007 10:19:44 -0400 Subject: [paramiko] automated public key auth as another user In-Reply-To: Message-ID: Todd, Thank you for responding. Please pardon me if I am being dense. How do I create a "specified user's key" (as you state below) without creating that user? Here is my scenario: A. I am user "Joe". B. I want to login to box 10.1.1.100 as user "Bob" without having to create a user named "Bob" on my box. C. I append Joe's public key ~/.ssh/id_rsa.pub to /home/Bob/.ssh/authorized_keys on 10.1.1.111. (I log in to 10.1.1.111 without a password as Joe.) D. In my paramiko script, I am unable to log in to 10.1.1.111 as Bob using Joe's private key file, i.e. auth_publickey('Bob','/home/Joe/.ssh/id_rsa'). The best I can do is: A. Create user Bob and a key for it on my box. B. Copy the key to Joe's .ssh directory as something like 'Bobs_id_rsa'. C. Append Bob's public key /home/Bob/.ssh/id_rsa.pub on my box to /home/Bob/.ssh/authorized_keys on 10.1.1.111. C. Specify Bob's private key, e.g. /home/Joe/.ssh/Bobs_id_rsa, in the script. This works but it means I have to create Bob. Please help me see what I am missing. Regards, Joe -----Original Message----- From: Todd Whiteman [mailto:toddw at activestate.com] Sent: Thursday, September 27, 2007 4:05 PM To: Powell, Joe Cc: paramiko at green.lag.net; Smith, T; Valencik, Kenneth; Nonamaker, William T Subject: Re: [paramiko] automated public key auth as another user Powell, Joe wrote: > Hello. First, I would like to thank you for developing paramiko. My > question is, using paramiko, how can I login to a system using public > key (passwordless) authentication as another user without having to > create that user on my system. You should never have to create the user on the local machine in order to log into a remote machine. That sounds strange. > I have copied another user's private key > to my ~/.ssh folder with a name such as "another_user.id_rsa" and > successfully used that as the private key to log in as "another_user", > but I had to create "another_user" and its key first. I am writing a > script in which I need to log in to numberous different systems each > with a different userid--and I would much prefer to not have to create > each of these userids on my system just so I can create a key for it. > It is specified that WE must initiate all transfers, so it is not a > solution for them to give us their key and login to our system. > > Thank you for any help you can provide. > Regards, > Joe Powell > If you download the paramiko zip file, you'll notice that it contains a demos subfolder with the file "demos/demo.py", which demonstrates how to use SSH keys to log in to a remote system. Paramiko lets you choose which SSH keys to load, so it should be quite straight forward to load the specified user's key and then log in to the remote system for that particular user. Cheers, Todd From toddw at activestate.com Fri Sep 28 10:26:20 2007 From: toddw at activestate.com (Todd Whiteman) Date: Fri, 28 Sep 2007 10:26:20 -0700 Subject: [paramiko] automated public key auth as another user In-Reply-To: References: Message-ID: <46FD393C.2040003@activestate.com> Powell, Joe wrote: > Todd, > > Thank you for responding. Please pardon me if I am being dense. How do I > create a "specified user's key" (as you state below) without creating > that user? Here is my scenario: > > A. I am user "Joe". > B. I want to login to box 10.1.1.100 as user "Bob" without having to > create a user named "Bob" on my box. > C. I append Joe's public key ~/.ssh/id_rsa.pub to > /home/Bob/.ssh/authorized_keys on 10.1.1.111. (I log in to 10.1.1.111 > without a password as Joe.) > D. In my paramiko script, I am unable to log in to 10.1.1.111 as Bob > using Joe's private key file, i.e. > auth_publickey('Bob','/home/Joe/.ssh/id_rsa'). > > The best I can do is: > A. Create user Bob and a key for it on my box. > B. Copy the key to Joe's .ssh directory as something like 'Bobs_id_rsa'. > C. Append Bob's public key /home/Bob/.ssh/id_rsa.pub on my box to > /home/Bob/.ssh/authorized_keys on 10.1.1.111. > C. Specify Bob's private key, e.g. /home/Joe/.ssh/Bobs_id_rsa, in the > script. This works but it means I have to create Bob. > > Please help me see what I am missing. > > Regards, > Joe > Hi Joe, You may want to read up on how the public/private key system works in SSH (there are a lot of pages out there covering this): http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html http://sourceforge.net/docman/display_doc.php?docid=761&group_id=1 As user Joe, you should be able to setup passwordless connections without having to add a Bob user to Joe's machine. I'd try to get this working outside of Paramiko first, simple steps are: http://lists.debian.org/debian-user/2007/01/msg00339.html 1. Generate Joe's public/private key "joe_key" and "joe_key.pub" 2. Add Joe's public key to Bob's "authorized_keys" file. Now, when you want to login from Joe to Bob: 3. Joe adds *his* key file to the agent "ssh-add joe_key" 4. ssh bob at 10.1.1.100 Are you able to get the above setup working? Cheers, Todd From joe.powell at lmco.com Fri Sep 28 12:27:19 2007 From: joe.powell at lmco.com (Powell, Joe) Date: Fri, 28 Sep 2007 15:27:19 -0400 Subject: [paramiko] automated public key auth as another user In-Reply-To: <46FD393C.2040003@activestate.com> Message-ID: Thanks again Todd for your response. I have good news that was a long way for a little cookie. As not uncommon, my problem was environment related. I've got 7 boxes I can test with and 3 userids I can test with. Out of this 20+ possible userid/box combinations, I chose THE one for which the home directory of the userid had permissions set to rwxrwxrwx. Today I (rather randomly) tried logging in as another user without a password onto another box and was successful (my goal) and then did the same with numerous other userids. I eventually identified that the home directories I was successfully logging into were set to rwxr-xr-x. I changed the permissions on the home directory on the failing userid/box combination to rwxr-xr-x and, of course, I logged in without a password. Thank you for your diligent assistance. Regards, Joe -----Original Message----- From: Todd Whiteman [mailto:toddw at activestate.com] Sent: Friday, September 28, 2007 1:26 PM To: Powell, Joe Cc: paramiko at green.lag.net; Smith, T; Valencik, Kenneth; Nonamaker, William T Subject: Re: [paramiko] automated public key auth as another user Powell, Joe wrote: > Todd, > > Thank you for responding. Please pardon me if I am being dense. How do > I create a "specified user's key" (as you state below) without > creating that user? Here is my scenario: > > A. I am user "Joe". > B. I want to login to box 10.1.1.100 as user "Bob" without having to > create a user named "Bob" on my box. > C. I append Joe's public key ~/.ssh/id_rsa.pub to > /home/Bob/.ssh/authorized_keys on 10.1.1.111. (I log in to 10.1.1.111 > without a password as Joe.) D. In my paramiko script, I am unable to > log in to 10.1.1.111 as Bob using Joe's private key file, i.e. > auth_publickey('Bob','/home/Joe/.ssh/id_rsa'). > > The best I can do is: > A. Create user Bob and a key for it on my box. > B. Copy the key to Joe's .ssh directory as something like 'Bobs_id_rsa'. > C. Append Bob's public key /home/Bob/.ssh/id_rsa.pub on my box to > /home/Bob/.ssh/authorized_keys on 10.1.1.111. > C. Specify Bob's private key, e.g. /home/Joe/.ssh/Bobs_id_rsa, in the > script. This works but it means I have to create Bob. > > Please help me see what I am missing. > > Regards, > Joe > Hi Joe, You may want to read up on how the public/private key system works in SSH (there are a lot of pages out there covering this): http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html http://sourceforge.net/docman/display_doc.php?docid=761&group_id=1 As user Joe, you should be able to setup passwordless connections without having to add a Bob user to Joe's machine. I'd try to get this working outside of Paramiko first, simple steps are: http://lists.debian.org/debian-user/2007/01/msg00339.html 1. Generate Joe's public/private key "joe_key" and "joe_key.pub" 2. Add Joe's public key to Bob's "authorized_keys" file. Now, when you want to login from Joe to Bob: 3. Joe adds *his* key file to the agent "ssh-add joe_key" 4. ssh bob at 10.1.1.100 Are you able to get the above setup working? Cheers, Todd