如何使用 Python 的 Paramiko 模块通过 ssh 进入需要两个密码身份验证的服务器？

Question

如何使用 Paramiko SSH 到需要双密码身份验证的服务器？

使用特定用户时，它首先提示输入用户密码，然后提示输入另一个密码，因此我的会话需要是交互式的。 我已经使用 pexpect 模块在 Linux 上生成了一个ssh进程，但由于我无法在 Windows 中执行此操作，因此我需要一种使用 Paramiko 的方法来执行此操作。

服务器是我们的产品，是对 CentOS 稍作修改的版本。 我正在编写自动化代码来测试一些需要我通过 ssh 进入服务器并验证一些命令的功能。 我能够以 root 用户身份登录，但对于我感兴趣的用户，它要求输入第二个密码。

这是ssh -vvv命令的输出：

ssh -vvv -p2222 nobrk1n@10.213.23.112  
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: /etc/ssh/ssh_config line 51: Applying options for *  
debug2: ssh_connect: needpriv 0  
debug1: Connecting to 10.213.23.112 [10.213.23.112] port 2222.  
debug1: Connection established.  
debug1: permanently_set_uid: 0/0  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key  
debug1: identity file /root/.ssh/id_rsa type 1  
debug1: identity file /root/.ssh/id_rsa-cert type -1  
debug1: identity file /root/.ssh/id_dsa type -1  
debug1: identity file /root/.ssh/id_dsa-cert type -1  
debug1: identity file /root/.ssh/id_ecdsa type -1  
debug1: identity file /root/.ssh/id_ecdsa-cert type -1  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_6.4  
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4  
debug1: match: OpenSSH_7.4 pat OpenSSH*  
debug2: fd 3 setting O_NONBLOCK  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com  
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  
debug2: kex_parse_kexinit: none,zlib@openssh.com  
debug2: kex_parse_kexinit: none,zlib@openssh.com  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: mac_setup: found hmac-sha2-256  
debug1: kex: server->client aes128-ctr hmac-sha2-256 none  
debug2: mac_setup: found hmac-sha2-256  
debug1: kex: client->server aes128-ctr hmac-sha2-256 none  
debug1: sending SSH2_MSG_KEX_ECDH_INIT  
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  
debug1: Server host key: ECDSA 30:5c:e6:be:81:31:79:b8:71:80:bf:49:95:a9:79:12  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: put_host_port: [10.213.23.112]:2222  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug1: Host '[10.213.23.112]:2222' is known and matches the ECDSA host key.  
debug1: Found key in /root/.ssh/known_hosts:1  
debug1: ssh_ecdsa_verify: signature correct  
debug2: kex_derive_keys  
debug2: set_newkeys: mode 1  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug2: set_newkeys: mode 0  
debug1: SSH2_MSG_NEWKEYS received  
debug1: Roaming not allowed by server  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug2: service_accept: ssh-userauth  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug2: key: /root/.ssh/id_rsa (0x55f959096720),  
debug2: key: /root/.ssh/id_dsa ((nil)),  
debug2: key: /root/.ssh/id_ecdsa ((nil)),  
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password  
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_lookup gssapi-keyex  
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_is_enabled gssapi-keyex  
debug1: Next authentication method: gssapi-keyex  
debug1: No valid Key exchange context  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup gssapi-with-mic  
debug3: remaining preferred: publickey,keyboard-interactive,password  
debug3: authmethod_is_enabled gssapi-with-mic  
debug1: Next authentication method: gssapi-with-mic  
debug1: Unspecified GSS failure.  Minor code may provide more information  
No Kerberos credentials available (default cache: KEYRING:persistent:0)  
  
debug1: Unspecified GSS failure.  Minor code may provide more information  
No Kerberos credentials available (default cache: KEYRING:persistent:0)  
  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup publickey  
debug3: remaining preferred: keyboard-interactive,password  
debug3: authmethod_is_enabled publickey  
debug1: Next authentication method: publickey  
debug1: Offering RSA public key: /root/.ssh/id_rsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  
debug1: Trying private key: /root/.ssh/id_dsa  
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory  
debug1: Trying private key: /root/.ssh/id_ecdsa  
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory  
debug2: we did not send a packet, disable method  
debug3: authmethod_lookup password  
debug3: remaining preferred: ,password  
debug3: authmethod_is_enabled password  
debug1: Next authentication method: password  
nobrk1n@10.213.23.112's password:  
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)  
debug2: we sent a password packet, wait for reply  
debug1: Authentication succeeded (password).  
Authenticated to 10.213.23.112 ([10.213.23.112]:2222).  
debug1: channel 0: new [client-session]  
debug3: ssh_session2_open: channel_new: 0  
debug2: channel 0: send open  
debug1: Requesting no-more-sessions@openssh.com  
debug1: Entering interactive session.  
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0  
debug2: callback start  
debug2: fd 3 setting TCP_NODELAY  
debug3: packet_set_tos: set IP_TOS 0x10  
debug2: client_session2_setup: id 0  
debug2: channel 0: request pty-req confirm 1  
debug1: Sending environment.  
debug3: Ignored env XDG_SESSION_ID  
debug3: Ignored env HOSTNAME  
debug3: Ignored env TERM  
debug3: Ignored env SHELL  
debug3: Ignored env HISTSIZE  
debug3: Ignored env SSH_CLIENT  
debug3: Ignored env SSH_TTY  
debug3: Ignored env USER  
debug3: Ignored env LS_COLORS  
debug3: Ignored env MAIL  
debug3: Ignored env PATH  
debug3: Ignored env PWD  
debug1: Sending env LANG = en_US.UTF-8  
debug2: channel 0: request env confirm 0  
debug3: Ignored env HISTCONTROL  
debug3: Ignored env SHLVL  
debug3: Ignored env HOME  
debug3: Ignored env LOGNAME  
debug3: Ignored env XDG_DATA_DIRS  
debug3: Ignored env SSH_CONNECTION  
debug3: Ignored env LESSOPEN  
debug3: Ignored env XDG_RUNTIME_DIR  
debug3: Ignored env _  
debug2: channel 0: request shell confirm 1  
debug2: callback done  
debug2: channel 0: open confirm rwindow 0 rmax 32768  
debug2: channel_input_status_confirm: type 99 id 0  
debug2: PTY allocation request accepted on channel 0  
debug2: channel 0: rcvd adjust 2097152  
debug2: channel_input_status_confirm: type 99 id 0  
debug2: shell request accepted on channel 0  
Last login: Tue Dec 11 21:17:10 2018 from 10.213.23.201  
Please enter the shell password : debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
debug3: Received SSH2_MSG_IGNORE  
  
Entering shell...  
[root@atd-reg root]#

---

我无法执行这样的命令：

ssh -vvv -p2222 nobrk1n@10.213.23.112 ls

执行上述命令时，系统会提示我输入 nobrk1n 用户的密码。 但是在输入密码时它会卡住。 我已将上述命令的输出粘贴到https://pastebin.com/hSfiCmdi 。 通常我首先使用ssh -p2222 user@host ssh 进入服务器，当建立连接并成功登录时，我开始执行命令。

Answer 1

您的服务器对第一个密码使用标准密码身份验证。

只有在 shell 启动时才询问第二个密码。 简单的 I/O 就是用来做这个的。

此外，您的服务器似乎不支持“exec”接口/通道来执行命令（因为ssh user@host command不起作用）。 什么可能与“shell 密码”功能有关。 所以你可能必须使用“shell”通道来执行你的命令，否则不推荐。

ssh = paramiko.SSHClient()
ssh.connect(hostname, username = username, password = password1)
channel = ssh.invoke_shell()
channel.send(password2 + "\n")
channel.send(command + "\n")
while not channel.recv_ready():
    time.sleep(1)
out = channel.recv(9999)