python - 如何使用 Python 的 Paramiko 模块 ssh 到需要两次密码身份验证的服务器？

Question

如何使用 Paramiko ssh 到需要双重密码身份验证的服务器？

当使用特定用户时，它首先提示输入用户密码，然后提示输入另一个密码，因此我的 session 需要是交互式的。我已经使用 pexpect 模块完成了相同的操作，在 Linux 上生成 ssh 进程，但由于我无法在 Windows 中执行此操作，所以我需要一种使用 Paramiko 来执行此操作的方法。

服务器是我们的产品，是CentOS的稍微修改版本。我正在编写自动化代码来测试一些功能，这需要我通过 ssh 进入服务器并验证一些命令。我能够以 root 用户身份登录，但对于我感兴趣的用户，它会要求输入第二个密码。

这是 ssh -vvv 命令的输出:

ssh -vvv -p2222 nobrk1n@10.213.23.112  OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013  debug1: Reading configuration data /etc/ssh/ssh_config  debug1: /etc/ssh/ssh_config line 51: Applying options for *  debug2: ssh_connect: needpriv 0  debug1: Connecting to 10.213.23.112 [10.213.23.112] port 2222.  debug1: Connection established.  debug1: permanently_set_uid: 0/0  debug3: Incorrect RSA1 identifier  debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key  debug1: identity file /root/.ssh/id_rsa type 1  debug1: identity file /root/.ssh/id_rsa-cert type -1  debug1: identity file /root/.ssh/id_dsa type -1  debug1: identity file /root/.ssh/id_dsa-cert type -1  debug1: identity file /root/.ssh/id_ecdsa type -1  debug1: identity file /root/.ssh/id_ecdsa-cert type -1  debug1: Enabling compatibility mode for protocol 2.0  debug1: Local version string SSH-2.0-OpenSSH_6.4  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4  debug1: match: OpenSSH_7.4 pat OpenSSH*  debug2: fd 3 setting O_NONBLOCK  debug3: put_host_port: [10.213.23.112]:2222  debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  debug3: load_hostkeys: loaded 1 keys  debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521  debug1: SSH2_MSG_KEXINIT sent  debug1: SSH2_MSG_KEXINIT received  debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit: first_kex_follows 0  debug2: kex_parse_kexinit: reserved 0  debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com  debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512  debug2: kex_parse_kexinit: none,zlib@openssh.com  debug2: kex_parse_kexinit: none,zlib@openssh.com  debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit: first_kex_follows 0  debug2: kex_parse_kexinit: reserved 0  debug2: mac_setup: found hmac-sha2-256  debug1: kex: server->client aes128-ctr hmac-sha2-256 none  debug2: mac_setup: found hmac-sha2-256  debug1: kex: client->server aes128-ctr hmac-sha2-256 none  debug1: sending SSH2_MSG_KEX_ECDH_INIT  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  debug1: Server host key: ECDSA 30:5c:e6:be:81:31:79:b8:71:80:bf:49:95:a9:79:12  debug3: put_host_port: [10.213.23.112]:2222  debug3: put_host_port: [10.213.23.112]:2222  debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  debug3: load_hostkeys: loaded 1 keys  debug3: load_hostkeys: loading entries for host "[10.213.23.112]:2222" from file "/root/.ssh/known_hosts"  debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1  debug3: load_hostkeys: loaded 1 keys  debug1: Host '[10.213.23.112]:2222' is known and matches the ECDSA host key.  debug1: Found key in /root/.ssh/known_hosts:1  debug1: ssh_ecdsa_verify: signature correct  debug2: kex_derive_keys  debug2: set_newkeys: mode 1  debug1: SSH2_MSG_NEWKEYS sent  debug1: expecting SSH2_MSG_NEWKEYS  debug2: set_newkeys: mode 0  debug1: SSH2_MSG_NEWKEYS received  debug1: Roaming not allowed by server  debug1: SSH2_MSG_SERVICE_REQUEST sent  debug2: service_accept: ssh-userauth  debug1: SSH2_MSG_SERVICE_ACCEPT received  debug2: key: /root/.ssh/id_rsa (0x55f959096720),  debug2: key: /root/.ssh/id_dsa ((nil)),  debug2: key: /root/.ssh/id_ecdsa ((nil)),  debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password  debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password  debug3: authmethod_lookup gssapi-keyex  debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password  debug3: authmethod_is_enabled gssapi-keyex  debug1: Next authentication method: gssapi-keyex  debug1: No valid Key exchange context  debug2: we did not send a packet, disable method  debug3: authmethod_lookup gssapi-with-mic  debug3: remaining preferred: publickey,keyboard-interactive,password  debug3: authmethod_is_enabled gssapi-with-mic  debug1: Next authentication method: gssapi-with-mic  debug1: Unspecified GSS failure.  Minor code may provide more information  No Kerberos credentials available (default cache: KEYRING:persistent:0)    debug1: Unspecified GSS failure.  Minor code may provide more information  No Kerberos credentials available (default cache: KEYRING:persistent:0)    debug2: we did not send a packet, disable method  debug3: authmethod_lookup publickey  debug3: remaining preferred: keyboard-interactive,password  debug3: authmethod_is_enabled publickey  debug1: Next authentication method: publickey  debug1: Offering RSA public key: /root/.ssh/id_rsa  debug3: send_pubkey_test  debug2: we sent a publickey packet, wait for reply  debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password  debug1: Trying private key: /root/.ssh/id_dsa  debug3: no such identity: /root/.ssh/id_dsa: No such file or directory  debug1: Trying private key: /root/.ssh/id_ecdsa  debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory  debug2: we did not send a packet, disable method  debug3: authmethod_lookup password  debug3: remaining preferred: ,password  debug3: authmethod_is_enabled password  debug1: Next authentication method: password  nobrk1n@10.213.23.112's password:  debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)  debug2: we sent a password packet, wait for reply  debug1: Authentication succeeded (password).  Authenticated to 10.213.23.112 ([10.213.23.112]:2222).  debug1: channel 0: new [client-session]  debug3: ssh_session2_open: channel_new: 0  debug2: channel 0: send open  debug1: Requesting no-more-sessions@openssh.com  debug1: Entering interactive session.  debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0  debug2: callback start  debug2: fd 3 setting TCP_NODELAY  debug3: packet_set_tos: set IP_TOS 0x10  debug2: client_session2_setup: id 0  debug2: channel 0: request pty-req confirm 1  debug1: Sending environment.  debug3: Ignored env XDG_SESSION_ID  debug3: Ignored env HOSTNAME  debug3: Ignored env TERM  debug3: Ignored env SHELL  debug3: Ignored env HISTSIZE  debug3: Ignored env SSH_CLIENT  debug3: Ignored env SSH_TTY  debug3: Ignored env USER  debug3: Ignored env LS_COLORS  debug3: Ignored env MAIL  debug3: Ignored env PATH  debug3: Ignored env PWD  debug1: Sending env LANG = en_US.UTF-8  debug2: channel 0: request env confirm 0  debug3: Ignored env HISTCONTROL  debug3: Ignored env SHLVL  debug3: Ignored env HOME  debug3: Ignored env LOGNAME  debug3: Ignored env XDG_DATA_DIRS  debug3: Ignored env SSH_CONNECTION  debug3: Ignored env LESSOPEN  debug3: Ignored env XDG_RUNTIME_DIR  debug3: Ignored env _  debug2: channel 0: request shell confirm 1  debug2: callback done  debug2: channel 0: open confirm rwindow 0 rmax 32768  debug2: channel_input_status_confirm: type 99 id 0  debug2: PTY allocation request accepted on channel 0  debug2: channel 0: rcvd adjust 2097152  debug2: channel_input_status_confirm: type 99 id 0  debug2: shell request accepted on channel 0  Last login: Tue Dec 11 21:17:10 2018 from 10.213.23.201  Please enter the shell password : debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE  debug3: Received SSH2_MSG_IGNORE    Entering shell...  [root@atd-reg root]# 

---

I am not able to execute commands like this:

ssh -vvv -p2222 nobrk1n@10.213.23.112 ls

执行上述命令时，系统会提示我输入 nobrk1n 用户的密码。但是输入密码后就卡住了。我已将上述命令的输出粘贴到 https://pastebin.com/hSfiCmdi 处。通常我首先使用 ssh -p2222 user@host ssh 到服务器，当建立连接并且我成功登录时，我开始执行命令。

Answer 1

您的服务器对第一个密码使用标准密码身份验证。

仅在 shell 启动时才会询问第二个密码。为此使用简单的 I/O。

此外，您的服务器似乎不支持“exec”接口(interface)/ channel 来执行命令(因为 ssh user@host 命令不起作用)。可能与“shell密码”功能有关。因此，您可能必须使用“shell” channel 来执行命令，否则不推荐(请参阅What is the difference between exec_command and send with invoke_shell() on Paramiko?)。

ssh = paramiko.SSHClient()
ssh.connect(hostname, username = username, password = password1)
channel = ssh.invoke_shell()
channel.send(password2 + "\n")
channel.send(command + "\n")
while not channel.recv_ready():
    time.sleep(1)
out = channel.recv(9999)