使用 Python 进行代理跳转

Posted 2023-03-23

【中文标题】使用 Python 进行代理跳转

【英文标题】：ProxyJump with Python

【发布时间】：2020-12-26 03:49:36

【问题描述】：

我想实现类似ssh -J user@host1 user@host2

host1 和 host2 都只接受通过键盘交互的身份验证，而不接受公钥或常规密码身份验证。两台主机的密码相同。这些是我无法更改的限制，因此请不要“使用 ssh 密钥”答案:)

我已经在 paramiko 中尝试过这样做（见下文），但是我愿意使用其他 python 模块来实现这一点。

import paramiko

...

client1 = paramiko.SSHClient()
client1.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client1.connect(host1, 22, username, password=password)

transport = client1.get_transport()

dest_addr = (host2, 22)
local_addr = ('127.0.0.1', 22)
channel = transport.open_channel("direct-tcpip", dest_addr, local_addr)

client2 = paramiko.SSHClient()
client2.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client2.connect(host2, username, password=password, sock=channel)

但我收到以下错误：

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/paramiko/transport.py", line 1528, in auth_password
    return self.auth_interactive(username, handler)
  File "/usr/local/lib/python3.7/site-packages/paramiko/transport.py", line 1633, in auth_interactive
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.7/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File “./myscript”, line 50, in <module>
    client2(host2, username, password=password, sock=channel)
  File "/usr/local/lib/python3.7/site-packages/paramiko/client.py", line 446, in connect
    passphrase,
  File "/usr/local/lib/python3.7/site-packages/paramiko/client.py", line 764, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.7/site-packages/paramiko/client.py", line 751, in _auth
    self._transport.auth_password(username, password)
  File "/usr/local/lib/python3.7/site-packages/paramiko/transport.py", line 1531, in auth_password
    raise e
  File "/usr/local/lib/python3.7/site-packages/paramiko/transport.py", line 1509, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.7/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.BadAuthenticationType: Bad authentication type; allowed types: ['publickey', 'keyboard-interactive']

当 host1 和 host2 都使用 publickey 身份验证时，这一切都可以正常工作，但是在这个特定的示例中，我需要使用键盘交互。

编辑：

连接host2失败，paramiko日志文件内容如下：

INF [20200907-20:39:41.318] thr=1   paramiko.transport: Connected (version 2.0, client X)
INF [20200907-20:39:41.803] thr=1   paramiko.transport: Authentication (publickey) failed.
INF [20200907-20:39:41.960] thr=1   paramiko.transport: Authentication (publickey) failed.
INF [20200907-20:39:42.685] thr=1   paramiko.transport: Authentication (keyboard-interactive) successful!
INF [20200907-20:39:42.877] thr=2   paramiko.transport: Connected (version 2.0, client X)
INF [20200907-20:39:43.283] thr=2   paramiko.transport: Authentication (publickey) failed.
INF [20200907-20:39:43.444] thr=2   paramiko.transport: Authentication (publickey) failed.
INF [20200907-20:39:43.795] thr=2   paramiko.transport: Authentication (keyboard-interactive) failed.

【问题讨论】：

嗨@MartinPrikryl 我已将 paramiko 日志文件添加到问题中。我确实尝试过明确的auth_interactive，但是我不确定如何通过我打开的direct-tcpip 传输通道来做到这一点。

【参考方案1】：

没关系，原来我的第二条连接线是错误的：

client2.connect(host2, username, password=password, sock=channel)

我没有指定第二个参数是什么：

client2.connect(host2, username=username, password=password, sock=channel)

或

client2.connect(host2, 22, username, password=password, sock=channel)

两者都按预期工作。