Public key authentication fails with Ubuntu 22.04 LTS servers

Question

Public key authentication fails with Ubuntu 22.04 LTS servers

Closed this issue a year ago · 4 comments

Steps to replicate:

Create a virtual server running Ubuntu 22.04 LTS and configure with an appropriate keypair (I have replicated this on instances running on both DigitalOcean and AWS)

Create a minimal fabfile:

from fabric.api import env, run, task

env.host_string = "X.X.X.X"  # replace with IP address of your instance
env.user = "myuser"  # replace with the username on the instance

@task
def hello():
    run("echo hello")

Execute fab hello

Expected result:

The instance executes the hello command on the remote server and then disconnects

Actual result:

Authentication fails and the user is prompted to enter a password

➜ ~ fab hello
[X.X.X.X] run: echo hello
Connect error: Authentication failed.
[X.X.X.X] Login password for 'myuser':

If I follow these same steps, but instead try it on a Ubuntu 20.04 LTS server it works correctly. I haven't tried this with any non-LTS releases.

Versions:

Local machine:

➜ ~ fab --version
fab-classic 1.19.2
paramiko-ng 2.8.10
Python 3.11.4

I get the same result with other versions of Python too (e.g. 3.8.x).

Remote machine:

myuser@X.X.X.X:~# ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.1, OpenSSL 3.0.2 15 Mar 2022

Answer 1 · 2023-07-19T15:54:24.000Z

Some extra info after further testing.

I tried this with upstream paramiko (by using the PARAMIKO_REPLACE=1 setting, to get the following versions

~ fab --version
fab-classic 1.19.2
Paramiko 3.2.0
Python 3.11.4

With upstream paramiko, it works correctly, giving the expected result:

➜ ~ fab hello
[X.X.X.X] run: echo hello
[X.X.X.X] out: hello
[X.X.X.X] out: 


Done.
Disconnecting from X.X.X.X ... done.

In working this out I also discovered that this was already reported in ploxiln/paramiko-ng#130 🤦‍♂️

Whilst this workaround does give the desired behaviour, it's still a problem in the default out-of-the-box installation.

Answer 2 · 2023-08-14T02:50:13.000Z

Yup, this is a paramiko-ng issue.

The work-around, if not just use upstream paramiko instead, is to use a different key type, like ed25519 or ecdsa.

Answer 3 · 2023-08-14T15:01:30.000Z

Yup, this is a paramiko-ng issue.

The work-around, if not just use upstream paramiko instead

That's what we've had to do in our code, but it's not ideal as the PARAMIKO_REPLACE=1 trick doesn't play nicely with requirements files

use a different key type, like ed25519 or ecdsa

This is a possibility, but the RSA is default key type in many SSH installs, so does represent a slight inconvenience in set up.

I guess the long-term "fix" is deciding whether paramiko-ng should still be the default at this point now that paramiko has become more active, but that's a decision for a separate issue.

Answer 4 · 2023-09-04T23:43:00.000Z

Same issue here. Any reason to prefer paramiko-ng to paramiko?
environment variable trick does not work with tools like poetry, pip-tools, pipenv making really hard to use this package