Linux – Using SSH config and keys in /etc/ssh with Fabric


I am trying to use SSH keys with Fabric instead of having to enter a password each time I run fab. All of our hosts share the same /etc/ssh/ssh_known_hosts file which contains all of their public rsa keys, and I'm able to SSH without a password from one host to another.

I have to following env vars set in my

env.use_ssh_config = True
env.ssh_config_path = '/etc/ssh/ssh_config'
env.key_filename = '/etc/ssh/ssh_host_rsa_key'

I'm running fab test as root with a simple command:

def test:
    run('uname -s')

I've been through all of the docs and searched around a good bit, but I don't see examples of using the keys and configs in /etc/ssh; the examples usually show how to utilize configs and keys in ~/.ssh/, so I may be misunderstanding how to use these settings.

Here is a debug:

root@beef:~> fab test
[chicken] Executing task 'test'
[chicken] run: uname -s
DEBUG:ssh.transport:starting thread (client mode): 0x141c710L
INFO:ssh.transport:Connected (version 1.99, client OpenSSH_5.1)
DEBUG:ssh.transport:kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', '', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] server encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', '', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] client mac:['hmac-md5', 'hmac-sha1', '', 'hmac-ripemd160', '', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', '', 'hmac-ripemd160', '', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', '', 'zlib'] server compress:['none', '', 'zlib'] client lang:[''] server lang:[''] kex follows?False
DEBUG:ssh.transport:Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
DEBUG:ssh.transport:using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:ssh.transport:Switch to new keys ...
DEBUG:ssh.transport:Adding ssh-rsa host key for chicken: 56f3f71a494013976c183844d342ed1b
[chicken] Login password for 'root':

Syslog on chicken says

Jun 22 13:48:47 chicken sshd[7328]: Did not receive identification
string from 172.x.x.x

So I'm not passing the right key file or something…


I received a few troubleshooting tips from the Fabric users mailing list.

I can see that when I connect with the ssh client from my shell, the client requests a connection method of 'none' and then 'hostbased'. Fabric (or Paramiko) seems to request publickey right off the bat. Note the connection methods selected in each example:

Successful login

root@beef:~> ssh -t -i /etc/ssh/ssh_host_rsa_key chicken uname -s

root@chicken:~> /usr/sbin/sshd -d
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "root"
debug1: userauth-request for user root service ssh-connection method hostbased
debug1: attempt 1 failures 0
debug1: userauth_hostbased: cuser root chost beef. pkalg ssh-dss slen 55
debug1: PAM: setting PAM_RHOST to "beef"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed hostbased for root from 172.x.x.x port 54623 ssh2
debug1: userauth-request for user root service ssh-connection method hostbased
debug1: attempt 2 failures 1
debug1: userauth_hostbased: cuser root chost beef. pkalg ssh-rsa slen 271
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted hostbased for root from 172.x.x.x port 54623 ssh2

Unsuccessful login via Fabric

root@beef:~ > fab test

root@chicken:~> /usr/sbin/sshd -d
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 0 failures 0
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "beef"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.x.x.x port 54630 ssh2

So…question: Is there any way I can specify hostbased as the preferred connection method in Fabric/Paramiko?

Best Answer

Part of the issue here was my confusion with publickey vs hostbased auth. I did ask the Fabric mailing list this question though:

Is there any way I can specify hostbased as the preferred connection method? Is it possible to set Paramiko settings in my fabfile?

One of the authors responded with:

I don't think Paramiko supports hostbased, though it's not originally my lib so I could be wrong. Certainly Fabric isn't telling it to be key-based besides giving it a key (i.e. there's no obvious "list of auth schemes to try" setting in client.connect()).

Paramiko is the python SSH module that Fabric uses. So, looks like there is no way to set the preferred auth scheme in Fabric/Paramiko. Instead of attempting to run fab as root and not get prompted for a password, I decided its best to run my commands using sudo() in my fabfile, so that I can have the audit trail in /var/log/sudo.log. This requires me to pass my sudo password as an argument anyhow.