duplicity hangs on "ssh: Switch to new keys ..."

Question

I would like to backup a local directory to a remote server using duplicity 0.7.06 (installed via apt on Ubuntu 16.04.5 LTS). A user account with ~/.ssh/authorized_keys file is set up on the remote server.

The duplicity command line is as follows:

duplicity full --verbosity debug /local/folder scp://remoteuser@remotehost/backup

The debug output of duplicity is:

Using archive dir: /foo/bar/.cache/duplicity/bedacf3ab67835c3d614d3773c672c53
Using backup name: bedacf3ab67835c3d614d3773c672c53
Import of duplicity.backends.azurebackend Succeeded
Import of duplicity.backends.b2backend Succeeded
Import of duplicity.backends.botobackend Succeeded
Import of duplicity.backends.cfbackend Succeeded
Import of duplicity.backends.copycombackend Succeeded
Import of duplicity.backends.dpbxbackend Succeeded
Import of duplicity.backends.gdocsbackend Succeeded
Import of duplicity.backends.giobackend Succeeded
Import of duplicity.backends.hsibackend Succeeded
Import of duplicity.backends.hubicbackend Succeeded
Import of duplicity.backends.imapbackend Succeeded
Import of duplicity.backends.lftpbackend Succeeded
Import of duplicity.backends.localbackend Succeeded
Import of duplicity.backends.megabackend Succeeded
Import of duplicity.backends.multibackend Succeeded
Import of duplicity.backends.ncftpbackend Succeeded
Import of duplicity.backends.onedrivebackend Succeeded
Import of duplicity.backends.par2backend Succeeded
Import of duplicity.backends.pydrivebackend Succeeded
Import of duplicity.backends.rsyncbackend Succeeded
Import of duplicity.backends.ssh_paramiko_backend Succeeded
Import of duplicity.backends.ssh_pexpect_backend Succeeded
Import of duplicity.backends.swiftbackend Succeeded
Import of duplicity.backends.sxbackend Succeeded
Import of duplicity.backends.tahoebackend Succeeded
Import of duplicity.backends.webdavbackend Succeeded
ssh: starting thread (client mode): 0x5e398850L
ssh: Local version/idstring: SSH-2.0-paramiko_1.16.0
ssh: Remote version/idstring: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3
ssh: Connected (version 2.0, client OpenSSH_7.4p1)
ssh: kex algos:[u'curve25519-sha256', u'curve25519-sha256@libssh.org', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group16-sha512', u'diffie-hellman-group18-sha512', u'diffie-hellman-group14-sha256', u'diffie-hellman-group14-sha1'] server key:[u'ssh-rsa', u'rsa-sha2-512', u'rsa-sha2-256', u'ecdsa-sha2-nistp256', u'ssh-ed25519'] client encrypt:[u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com'] server encrypt:[u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com'] client mac:[u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] server mac:[u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] client compress:[u'none', u'zlib@openssh.com'] server compress:[u'none', u'zlib@openssh.com'] client lang:[u''] server lang:[u''] kex follows?False
ssh: Kex agreed: diffie-hellman-group-exchange-sha256
ssh: Cipher agreed: aes128-ctr
ssh: MAC agreed: hmac-sha2-256
ssh: Compression agreed: none
ssh: Got server p (2048 bits)
ssh: kex engine KexGexSHA256 specified hash_algo <built-in function openssl_sha256>
/usr/lib/python2.7/dist-packages/Crypto/Cipher/blockalgo.py:141: FutureWarning: CTR mode needs counter parameter, not IV
  self._cipher = factory.new(key, *args, **kwargs)
ssh: Switch to new keys ...

After waiting for a while, one more line appears:

ssh: EOF in transport thread

I can manually connect via SSH to the remote server without specifying a password using:

ssh remoteuser@remotehost

I can also copy files via scp without specifying a password:

scp /some/file remoteuser@remotehost:/home/remoteuser/backup

So this seems to be a problem with duplicity or paramiko.

According to the "A note on SSH backends" manual section, I tried various SSH backends in the duplicity command line:

paramiko+scp

Results in the problem described above.

paramiko+sftp

Results in the problem described above.

pexpect+scp

ImportError: No module named pexpect

pexpect+sftp

ImportError: No module named pexpect

lftp+scp:

This works after installing lftp, however, it requires password authentication and the authorized key does not work as intended.

Answer 1

paramiko 1.16 and duplicity 0.7.06 are quite old. try to upgrade to the latest greatest (paramiko 1.18.x or 2.4.x and duplicity 0.7.18.x) and see if the issue resolves. smells like a paramiko issue.

if not, install python-pexpect and use the ssh backend utilizing the openssh binaries, that should work if it is working on the command line fine.

..ede/duply.net