Paramiko change breaks "connect" with string passwords between version 2.1 and 2.4 -ish

Question

This code works (using python) with Paramiko 2.1.2:

destination = '192.168.1.2'
user = 'iamtheuser'
myPassword = 'thisisthepassword'

# create ssh connection
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(destination,username=user,password=myPassword)

But does not work with Paramiko 2.4.1. The following error is thrown:

  File "C:\Users\thisuser\myfilename.py", line 23, in myfunction
    ssh.connect(destination,username=user,password=myPassword)
  File "C:\Anaconda3\lib\site-packages\paramiko\client.py", line 424, in connect
    passphrase,
  File "C:\Anaconda3\lib\site-packages\paramiko\client.py", line 701, in _auth
    self._transport.auth_password(username, password)
  File "C:\Anaconda3\lib\site-packages\paramiko\transport.py", line 1376, in aut
h_password
    self.auth_handler.auth_password(username, password, my_event)
  File "C:\Anaconda3\lib\site-packages\paramiko\auth_handler.py", line 114, in a
uth_password
    self._request_auth()
  File "C:\Anaconda3\lib\site-packages\paramiko\auth_handler.py", line 165, in _
request_auth
    self.transport._send_message(m)
  File "C:\Anaconda3\lib\site-packages\paramiko\transport.py", line 1707, in _se
nd_message
    self.packetizer.send_message(data)
  File "C:\Anaconda3\lib\site-packages\paramiko\packet.py", line 385, in send_me
ssage
    out = self.__block_engine_out.update(packet)
  File "C:\Anaconda3\lib\site-packages\cryptography\hazmat\primitives\ciphers\ba
se.py", line 149, in update
    return self._ctx.update(data)
  File "C:\Anaconda3\lib\site-packages\cryptography\hazmat\backends\openssl\ciph
ers.py", line 120, in update
    n = self.update_into(data, buf)
  File "C:\Anaconda3\lib\site-packages\cryptography\hazmat\backends\openssl\ciph
ers.py", line 131, in update_into
    "unsigned char *", self._backend._ffi.from_buffer(buf)
TypeError: from_buffer() cannot return the address of the raw string within a by
tes or unicode or bytearray object

I've tried looking at the Paramiko changelog (potentially related to bug 1039?) but quite frankly most of the troubleshooting is over my head. Any thoughts for a part-time programmer?

Log file for version 2.1.2 (works)

    DEB [20180501-08:46:58.067] thr=1   paramiko.transport: starting thread (client mode): 0x3828828
    DEB [20180501-08:46:58.068] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.1.2
    DEB [20180501-08:46:58.074] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_5.3
    INF [20180501-08:46:58.074] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_5.3)
    DEB [20180501-08:46:58.075] thr=1   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] client mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
    DEB [20180501-08:46:58.075] thr=1   paramiko.transport: Kex agreed: diffie-hellman-group1-sha1
    DEB [20180501-08:46:58.076] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
    DEB [20180501-08:46:58.076] thr=1   paramiko.transport: MAC agreed: hmac-sha2-256
    DEB [20180501-08:46:58.076] thr=1   paramiko.transport: Compression agreed: none
    DEB [20180501-08:46:58.598] thr=1   paramiko.transport: kex engine KexGroup1 specified hash_algo <built-in function openssl_sha1>
    DEB [20180501-08:46:58.599] thr=1   paramiko.transport: Switch to new keys ...
    DEB [20180501-08:46:58.600] thr=2   paramiko.transport: Adding ssh-rsa host key for <server and passkey removed>
    DEB [20180501-08:46:58.641] thr=1   paramiko.transport: userauth is OK
    INF [20180501-08:46:58.695] thr=1   paramiko.transport: Authentication (password) successful!
    DEB [20180501-08:46:58.696] thr=2   paramiko.transport: [chan 0] Max packet in: 32768 bytes
    DEB [20180501-08:46:58.701] thr=1   paramiko.transport: [chan 0] Max packet out: 32768 bytes
    DEB [20180501-08:46:58.701] thr=1   paramiko.transport: Secsh channel 0 opened.
    DEB [20180501-08:46:58.703] thr=1   paramiko.transport: [chan 0] Sesch channel 0 request ok
    DEB [20180501-08:46:58.817] thr=1   paramiko.transport: [chan 0] EOF received (0)
    DEB [20180501-08:46:58.818] thr=2   paramiko.transport: [chan 1] Max packet in: 32768 bytes
    DEB [20180501-08:46:58.819] thr=1   paramiko.transport: [chan 0] EOF sent (0)
    DEB [20180501-08:46:58.819] thr=1   paramiko.transport: [chan 1] Max packet out: 32768 bytes
    DEB [20180501-08:46:58.819] thr=1   paramiko.transport: Secsh channel 1 opened.
    DEB [20180501-08:46:58.860] thr=1   paramiko.transport: [chan 1] Sesch channel 1 request ok
    DEB [20180501-08:46:58.983] thr=1   paramiko.transport: [chan 1] EOF received (1)
    DEB [20180501-08:46:58.985] thr=3   paramiko.transport: starting thread (client mode): 0x7e17860
    DEB [20180501-08:46:58.985] thr=3   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.1.2
    DEB [20180501-08:46:58.991] thr=3   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_5.3
    INF [20180501-08:46:58.991] thr=3   paramiko.transport: Connected (version 2.0, client OpenSSH_5.3)
    DEB [20180501-08:46:58.993] thr=3   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] client mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
    DEB [20180501-08:46:58.993] thr=3   paramiko.transport: Kex agreed: diffie-hellman-group1-sha1
    DEB [20180501-08:46:58.993] thr=3   paramiko.transport: Cipher agreed: aes128-ctr
    DEB [20180501-08:46:58.993] thr=3   paramiko.transport: MAC agreed: hmac-sha2-256
    DEB [20180501-08:46:58.993] thr=3   paramiko.transport: Compression agreed: none
    DEB [20180501-08:46:59.011] thr=3   paramiko.transport: kex engine KexGroup1 specified hash_algo <built-in function openssl_sha1>
    DEB [20180501-08:46:59.012] thr=3   paramiko.transport: Switch to new keys ...
    DEB [20180501-08:46:59.013] thr=2   paramiko.transport: Adding ssh-rsa host key for <server and passkey removed>
    DEB [20180501-08:46:59.052] thr=3   paramiko.transport: userauth is OK
    INF [20180501-08:46:59.107] thr=3   paramiko.transport: Authentication (password) successful!
    DEB [20180501-08:46:59.107] thr=2   paramiko.transport: [chan 0] Max packet in: 32768 bytes
    DEB [20180501-08:46:59.111] thr=3   paramiko.transport: [chan 0] Max packet out: 32768 bytes
    DEB [20180501-08:46:59.111] thr=3   paramiko.transport: Secsh channel 0 opened.
    DEB [20180501-08:46:59.113] thr=3   paramiko.transport: [chan 0] Sesch channel 0 request ok
    DEB [20180501-08:46:59.227] thr=3   paramiko.transport: [chan 0] EOF received (0)
    DEB [20180501-08:46:59.227] thr=2   paramiko.transport: [chan 1] Max packet in: 32768 bytes
    DEB [20180501-08:46:59.228] thr=3   paramiko.transport: [chan 0] EOF sent (0)
    DEB [20180501-08:46:59.229] thr=3   paramiko.transport: [chan 1] Max packet out: 32768 bytes
    DEB [20180501-08:46:59.229] thr=3   paramiko.transport: Secsh channel 1 opened.
    DEB [20180501-08:46:59.270] thr=3   paramiko.transport: [chan 1] Sesch channel 1 request ok
    DEB [20180501-08:46:59.394] thr=3   paramiko.transport: [chan 1] EOF received (1)
    DEB [20180501-08:46:59.394] thr=3   paramiko.transport: [chan 1] EOF sent (1)
    DEB [20180501-08:46:59.395] thr=3   paramiko.transport: EOF in transport thread
    DEB [20180501-08:46:59.396] thr=4   paramiko.transport: starting thread (client mode): 0x383a4e0
    DEB [20180501-08:46:59.396] thr=4   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.1.2
    DEB [20180501-08:46:59.405] thr=4   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_5.3
    INF [20180501-08:46:59.405] thr=4   paramiko.transport: Connected (version 2.0, client OpenSSH_5.3)
    DEB [20180501-08:46:59.407] thr=4   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] client mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
    DEB [20180501-08:46:59.408] thr=4   paramiko.transport: Kex agreed: diffie-hellman-group1-sha1
    DEB [20180501-08:46:59.408] thr=4   paramiko.transport: Cipher agreed: aes128-ctr
    DEB [20180501-08:46:59.408] thr=4   paramiko.transport: MAC agreed: hmac-sha2-256
    DEB [20180501-08:46:59.408] thr=4   paramiko.transport: Compression agreed: none
    DEB [20180501-08:46:59.426] thr=4   paramiko.transport: kex engine KexGroup1 specified hash_algo <built-in function openssl_sha1>
    DEB [20180501-08:46:59.426] thr=4   paramiko.transport: Switch to new keys ...
    DEB [20180501-08:46:59.428] thr=2   paramiko.transport: Adding ssh-rsa host key for <server and passkey removed>
    DEB [20180501-08:46:59.466] thr=4   paramiko.transport: userauth is OK
    INF [20180501-08:46:59.534] thr=4   paramiko.transport: Authentication (password) successful!
    DEB [20180501-08:46:59.535] thr=2   paramiko.transport: [chan 0] Max packet in: 32768 bytes
    DEB [20180501-08:46:59.540] thr=4   paramiko.transport: [chan 0] Max packet out: 32768 bytes
    DEB [20180501-08:46:59.540] thr=4   paramiko.transport: Secsh channel 0 opened.
    DEB [20180501-08:46:59.543] thr=4   paramiko.transport: [chan 0] Sesch channel 0 request ok
    DEB [20180501-08:46:59.706] thr=4   paramiko.transport: [chan 0] EOF received (0)
    DEB [20180501-08:46:59.706] thr=2   paramiko.transport: [chan 1] Max packet in: 32768 bytes
    DEB [20180501-08:46:59.707] thr=4   paramiko.transport: [chan 0] EOF sent (0)
    DEB [20180501-08:46:59.707] thr=4   paramiko.transport: [chan 1] Max packet out: 32768 bytes
    DEB [20180501-08:46:59.707] thr=4   paramiko.transport: Secsh channel 1 opened.
    DEB [20180501-08:46:59.749] thr=4   paramiko.transport: [chan 1] Sesch channel 1 request ok
    DEB [20180501-08:46:59.929] thr=4   paramiko.transport: [chan 1] EOF received (1)
    DEB [20180501-08:46:59.930] thr=4   paramiko.transport: [chan 1] EOF sent (1)
    DEB [20180501-08:46:59.930] thr=4   paramiko.transport: EOF in transport thread

Log file for 2.4.1 (does not work)

DEB [20180501-08:48:09.289] thr=1   paramiko.transport: starting thread (client mode): 0x39216d8
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.1
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_5.3
INF [20180501-08:48:09.289] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_5.3)
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] client mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: Kex agreed: diffie-hellman-group-exchange-sha256
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: HostKey agreed: ssh-rsa
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20180501-08:48:09.289] thr=1   paramiko.transport: Compression agreed: none
DEB [20180501-08:48:09.299] thr=1   paramiko.transport: Got server p (2048 bits)
DEB [20180501-08:48:09.469] thr=1   paramiko.transport: kex engine KexGexSHA256 specified hash_algo <built-in function openssl_sha256>
DEB [20180501-08:48:09.469] thr=1   paramiko.transport: Switch to new keys ...
DEB [20180501-08:48:09.469] thr=2   paramiko.transport: Adding ssh-rsa host key for <server and passkey removed>
DEB [20180501-08:48:09.489] thr=1   paramiko.transport: EOF in transport thread

Post Paramiko log file from both versions: https://stackoverflow.com/q/27587716/850848 — Martin Prikryl, May 01 '18 at 09:34
Did you try forcing `diffie-hellman-group1-sha1` (the one that 2.1.2 uses)? E.g. by disabling `diffie-hellman-group-exchange-sha256` on the server or by editing `_preferred_kex` in Paramiko code? — Martin Prikryl, May 02 '18 at 06:20

score 1 · Accepted Answer · answered May 03 '18 at 21:20

The solution for my problem was to force the preferred key (thanks to Martin Prikryl for the tip):

paramiko.Transport._preferred_kex = ('diffie-hellman-group-exchange-sha1',)

I'm not sure if this qualifies as the correct method or rather a workaround. To sum up the solution:

Paramiko Version   "Agreed" key      Result
Client    Server   
v2.1.2    v2.1.2   diffie...-sha1    Success
v2.4.1    v2.1.2   diffie...-sha256  Fail
v2.4.1    v2.1.2   diffie...-sha1    Success (manually set preferred key)

Paramiko change breaks "connect" with string passwords between version 2.1 and 2.4 -ish

1 Answers1