我正在尝试从 Python 打开 ssh 隧道,但我似乎无法获得正确的语法。
本质上,我想执行以下操作,但在 Python 中除外:
ssh -i /path/to/my/private.ca.key -L 3306:127.0.0.1:3306 [email protected]
当我直接在 bash 中输入该行时,它工作正常。
我的Python代码如下所示:
import logging
from sshtunnel import SSHTunnelForwarder
logging.basicConfig(level=logging.DEBUG)
# Path to the private key file
private_key_path = '/path/to/my/private.ca.key'
# Establish SSH tunnel
server = SSHTunnelForwarder(
'ourserver.com',
ssh_username='user',
ssh_pkey = private_key_path,
remote_bind_address=('127.0.0.1', 3306),
local_bind_address=('127.0.0.1', 3306)
)
server.start()
这是我的输出:
DEBUG:paramiko.transport:starting thread (client mode): 0x79d3c9d0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_3.4.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_9.2p1)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: [email protected], curve25519-sha256, [email protected], ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, [email protected]
DEBUG:paramiko.transport:server key: rsa-sha2-512, rsa-sha2-256, [email protected], [email protected]
DEBUG:paramiko.transport:client encrypt: [email protected], aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected]
DEBUG:paramiko.transport:server encrypt: [email protected], aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected]
DEBUG:paramiko.transport:client mac: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:server mac: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:client compress: none, [email protected]
DEBUG:paramiko.transport:server compress: none, [email protected]
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Strict kex mode: True
DEBUG:paramiko.transport:Kex: [email protected]
DEBUG:paramiko.transport:HostKey: rsa-sha2-512
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:Resetting outbound seqno after NEWKEYS due to strict mode
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Resetting inbound seqno after NEWKEYS due to strict mode
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512', '[email protected]': b'0'}
DEBUG:paramiko.transport:Attempting public-key auth...
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
2024-08-26 16:12:00,129| ERROR | Could not open connection to gateway
ERROR:sshtunnel.SSHTunnelForwarder:Could not open connection to gateway
Traceback (most recent call last):
File "[filename].py", line 18, in <module>
server.start()
File ".../site-packages/sshtunnel.py", line 1331, in start
self._raise(BaseSSHTunnelForwarderError,
File ".../site-packages/sshtunnel.py", line 1174, in _raise
raise exception(reason)
sshtunnel.BaseSSHTunnelForwarderError: Could not establish session to SSH gateway
我的私钥使用“ssh-rsa”算法,服务器似乎根据以下行确认它在协商过程中理解该算法:
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512', '[email protected]': b'0'}
我最终确实让它工作了。
我尝试使用以下代码进行基本的 paramiko 连接:
import paramiko
ssh_hostname = 'ourserver.com'
ssh_username = 'user'
private_key_path = '/path/to/private.rsa.key'
key = paramiko.RSAKey.from_private_key_file(private_key_path)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname, port, username=username, pkey=key, look_for_keys=False, compress=True)
我的原始密钥文件以以下行开头:
-----BEGIN PRIVATE KEY-----
paramiko 库不喜欢那个密钥,但在我使用以下命令转换它后它确实喜欢它(这将覆盖您的密钥文件)
ssh-keygen -p -m PEM -f /path/to/private.rsa.key现在我的密钥从下面这行开始,paramiko 对此更满意。
-----BEGIN RSA PRIVATE KEY-----
底层密钥是相同的,但现在加密方式不同。
我的密钥是用证书签名的,这意味着我的公钥不需要位于远程主机上的“authorized_keys”文件中,cmdline ssh 即可工作。不过,帕拉米科似乎并没有拿起证书。可能有办法解决这个问题,但我的快速解决方法是将我的公钥放在该主机上的“authorized_keys”文件中。
如果我弄清楚如何配置 paramiko 来识别证书,这将是一个更好的解决方案,我可能会更新这篇文章。
降级 paramiko 没有帮助。我的解决方案适用于
pip install paramiko==3.4.1