I'm having trouble establishing an sshtunnel connection because the server does not support the rsa-sha2-512 pubkey algorithm. I can't change anything on the server. I am able to connect using paramiko but only if I use the disable_algorithms configuration argument. When I am using sshtunnel, I can't figure out how to adjust the configuration for the paramiko disable_algorithms.
import sshtunnel
with sshtunnel.open_tunnel(
(REMOTE_SSH_IP, 22),
ssh_username='username',
ssh_pkey='~/.ssh/id_rsa',
remote_bind_address=('127.0.0.1', 8080)
) as tunnel:
print('DONE')
If I use paramiko to open an ssh session to the same machine, using the same public key, I am able to connect without an issue BUT only when I set the disabled_algorithms in the SSHClient config.
disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"])
If I could set the same disabled_algorithms inside sshtunnel somehow then I think that would solve my problem. I have tried using ~/.ssh/config however sshtunnel does not seem to honor it, even when I set the path in the open_tunnel configuration. I still get the same errors. ssh_config_file="~/.ssh/config"
Thanks in advance.
python 3.10.2 stdout:
ERROR:sshtunnel.SSHTunnelForwarder:Could not open connection to gateway
Traceback (most recent call last):
File "/Users/blah/Files/Devel/TXPro/inventory/inventory/cli/test.py", line 26, in <module>
with sshtunnel.open_tunnel(
File "/Users/blah/.pyenv/versions/3.10.2/lib/python3.10/site-packages/sshtunnel.py", line 1608, in __enter__
self.start()
File "/Users/blah/.pyenv/versions/3.10.2/lib/python3.10/site-packages/sshtunnel.py", line 1331, in start
self._raise(BaseSSHTunnelForwarderError,
File "/Users/blah/.pyenv/versions/3.10.2/lib/python3.10/site-packages/sshtunnel.py", line 1174, in _raise
raise exception(reason)
sshtunnel.BaseSSHTunnelForwarderError: Could not establish session to SSH gateway
paramiko 2.9.2 debug:
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')
DEBUG:paramiko.transport:NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!
INFO:paramiko.transport:Authentication (publickey) failed.
The sshd logs - OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013:
sshd[32307]: reverse mapping checking getaddrinfo for <HIDDEN> [HIDDEN] failed - POSSIBLE BREAK-IN ATTEMPT!
sshd[32307]: userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 [preauth]
sshd[32307]: Connection closed by <HIDDEN> [preauth]
~/.ssh/config
Host *
HostbasedAcceptedAlgorithms -rsa-sha2-256,-rsa-sha2-512
HostKeyAlgorithms -rsa-sha2-256,-rsa-sha2-512
PubkeyAcceptedAlgorithms -rsa-sha2-256,-rsa-sha2-512
With the latest version of paramiko library e.g. paramiko~=2.11.0, there is an issue: RSA key being treated as a DSA key. The issue is solved using a lower version of the library e.g. paramiko~=2.8.1, without using the ssh config or disabled_algorithms flag.