37

I'm rewriting a Bash script I wrote into Python. The crux of that script was

ssh -t first.com "ssh second.com very_remote_command"

I'm having a problem with the nested authentication with paramiko. I wasn't able to find any examples dealing with my precise situation, but I was able to find examples with sudo on a remote host.

The first method writes to stdin

ssh.connect('127.0.0.1', username='jesse', password='lol')
stdin, stdout, stderr = ssh.exec_command("sudo dmesg")
stdin.write('lol\n')
stdin.flush()

The second creates a channel and uses the socket-like send and recv.

I was able to get stdin.write to work with sudo, but it doesn't work with ssh on the remote host.

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('first.com', username='luser', password='secret')
stdin, stdout, stderr = ssh.exec_command('ssh luser@second.com')
stdin.write('secret')
stdin.flush()
print '---- out ----'
print stdout.readlines()
print '---- error ----'
print stderr.readlines()

ssh.close()

...prints...

---- out ----
[]
---- error ----
['Pseudo-terminal will not be allocated because stdin is not a terminal.\r\n', 'Permission denied, please try again.\r\n', 'Permission denied, please try again.\r\n', 'Permission denied (publickey,password,keyboard-interactive).\r\n']

The pseudo-terminal error reminded me of the -t flag in my original command, so I switched to the second method, using a Channel. Instead of ssh.exec_command and later, I have:

t = ssh.get_transport()
chan = t.open_session()
chan.get_pty()
print '---- send ssh cmd ----'
print chan.send('ssh luser@second.com')
print '---- recv ----'
print chan.recv(9999)
chan = t.open_session()
print '---- send password ----'
print chan.send('secret')
print '---- recv ----'
print chan.recv(9999)

...but it prints '---- send ssh cmd ----' and just hangs until I kill the process.

I'm new to Python and none too knowledgeable about networks. In the first case, why does sending the password work with sudo but not with ssh? Are the prompts different? Is paramiko even the right library for this?

mqsoh
  • 3,180
  • 2
  • 24
  • 26

5 Answers5

33

I managed to find a solution, but it requires a little manual work. If anyone have a better solution, please tell me.

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('first.com', username='luser', password='secret')

chan = ssh.invoke_shell()

# Ssh and wait for the password prompt.
chan.send('ssh second.com\n')
buff = ''
while not buff.endswith('\'s password: '):
    resp = chan.recv(9999)
    buff += resp

# Send the password and wait for a prompt.
chan.send('secret\n')
buff = ''
while not buff.endswith('some-prompt$ '):
    resp = chan.recv(9999)
    buff += resp

# Execute whatever command and wait for a prompt again.
chan.send('ls\n')
buff = ''
while not buff.endswith('some-prompt$ '):
    resp = chan.recv(9999)
    buff += resp

# Now buff has the data I need.
print 'buff', buff

ssh.close()

The thing to note is that instead of this

t = ssh.get_transport()
chan = t.open_session()
chan.get_pty()

...you want this

chan = ssh.invoke_shell()

It reminds me of when I tried to write a TradeWars script when I was a kid and gave up coding for ten years. :)

mqsoh
  • 3,180
  • 2
  • 24
  • 26
  • i am trying to use your solution for a similar need..However ('some-prompt$ ') is not always fixed..it always has a '#' but some other content which keeps varying..how do i account for it ? – Amistad Feb 03 '15 at 14:20
  • If it ends with `#`, then change `some-prompt$ ` to `#`. However, make sure that you check for trailing white space, i.e. `...endswith('# ')` isn't the same as `...endswith('#')`. – mqsoh Feb 04 '15 at 03:49
  • would the expect utility (a TCL thing) help you out? The python equivalent is pexpect I believe... – Jimbo Nov 20 '15 at 10:10
  • I had this problem while working at a place that had no deployment procedure. I had to cat files from the production servers through a bastion host just to see what was deployed. For the past six years I've been working at places that deploy versions of code instead of a will-he nil-he deployment free-for-all. (People would literal chose which files to deploy from any version of the codebase and everyone had permission to do it.) I don't need to nest ssh sessions anymore because I can put my script on a remote host and run it there if I want. – mqsoh Nov 20 '15 at 19:50
  • Also I'm smarter. I'm pretty sure I could have done this with an ssh command. Probably at the time I didn't understand the three levels of escaping that would need to be done. – mqsoh Nov 20 '15 at 19:53
  • Set `chan.settimeout(3)` after invoking shell command if your `while` hangs and handle `socket.timeout` exception. – simno Feb 04 '16 at 15:27
  • @mqsoh what is resp = chan.recv(9999) ? – Praneeth May 09 '16 at 17:45
  • @Praneeth: `chan` is some type of socket, so `recv` just takes an arbitrary amount of data. In the docs I found out that I should of used a power of 2. Also, there's a pointless assignment. Nowadays I would have done `buff += chan.recv(4096)`. https://docs.python.org/3/library/socket.html#socket.socket.recv – mqsoh May 24 '16 at 01:01
17

Here is a small example using paramiko only (and port forwarding):

import paramiko as ssh

class SSHTool():
    def __init__(self, host, user, auth,
                 via=None, via_user=None, via_auth=None):
        if via:
            t0 = ssh.Transport(via)
            t0.start_client()
            t0.auth_password(via_user, via_auth)
            # setup forwarding from 127.0.0.1:<free_random_port> to |host|
            channel = t0.open_channel('direct-tcpip', host, ('127.0.0.1', 0))
            self.transport = ssh.Transport(channel)
        else:
            self.transport = ssh.Transport(host)
        self.transport.start_client()
        self.transport.auth_password(user, auth)

    def run(self, cmd):
        ch = self.transport.open_session()
        ch.set_combine_stderr(True)
        ch.exec_command(cmd)
        retcode = ch.recv_exit_status()
        buf = ''
        while ch.recv_ready():
            buf += ch.recv(1024)
        return (buf, retcode)

# The example below is equivalent to
# $ ssh 10.10.10.10 ssh 192.168.1.1 uname -a
# The code above works as if these 2 commands were executed:
# $ ssh -L <free_random_port>:192.168.1.1:22 10.10.10.10
# $ ssh 127.0.0.1:<free_random_port> uname -a
host = ('192.168.1.1', 22)
via_host = ('10.10.10.10', 22)

ssht = SSHTool(host, 'user1', 'pass1',
    via=via_host, via_user='user2', via_auth='pass2')

print ssht.run('uname -a')
Sinas
  • 171
  • 1
  • 3
7

You can create ssh connection using channel from another ssh connection. See here for more detail.

Community
  • 1
  • 1
David Lim
  • 81
  • 1
  • 1
1

For a ready made solution check out pxssh from the pxpect project. Look at the sshls.py and ssh_tunnel.py examples.

http://www.noah.org/wiki/Pexpect

snies
  • 3,461
  • 1
  • 22
  • 19
0

Sinas's answer works well but didn't provide all the output from very long commands for me. However, using chan.makefile() allows me to retrieve all the output.

The below works on a system that requires tty and also prompts for sudo password

ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
ssh.connect("10.10.10.1", 22, "user", "password")
chan=ssh.get_transport().open_session()
chan.get_pty()
f = chan.makefile()
chan.exec_command("sudo dmesg")
chan.send("password\n")
print f.read()
ssh.close()
user2945126
  • 1