SSH through Paramiko to a CyberArk connection

Question

I'm connecting to a machine with a command like:

SSH myname@subname@150.25.10.10@20.35.10.10

Trying to figure out how to use this type of connection with Paramiko. I've tried commands like:

vm.connect('20.35.10.10', username='myname@subname@150.25.10.10', password='passwrd%%%')

This gives me an error 'authentication failed'

Alternatively I've tried adapting the answer from this previous stackoverflow question: Nested SSH using Python Paramiko However, this raises 'authentication failed' error. The key file to connect is saved in my ~/.ssh folder and I'm able to connect through ssh command in the shell so I don't believe there are any issues with my key. There doesn't appear to be any clear instructions for connecting to a machine which requires a user@user@ip@ip format

edit: the type of cyberark connection is psmp

edit: Per Martin's request, this is the output from ssh -vvv name@subname@ip@ip, as you can guess this output has been sanitised from exposing sensitive data:

C:\>ssh -vvv myname@subname@150.25.10.10@20.35.10.10
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug3: Failed to open file:C:/Users/myname/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 20.35.10.10 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 20.35.10.10 [20.35.10.10] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/myname/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_rsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/myname/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/myname/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\myname/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.7
debug1: match: OpenSSH_7.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 20.35.10.10:22 as 'myname@subname@150.25.10.10'
debug3: hostkeys_foreach: reading file "C:\\Users\\myname/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\myname/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 20.35.10.10
debug3: Failed to open file:C:/Users/myname/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug3: hostkeys_foreach: reading file "C:\\Users\\myname/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\myname/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 20.35.10.10
debug3: Failed to open file:C:/Users/myname/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host '20.35.10.10' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\myname/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 111111111 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 111111111 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: C:\\Users\\myname/.ssh/id_rsa (0000000000000000)
debug2: key: C:\\Users\\myname/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\myname/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\myname/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\myname/.ssh/id_xmss (0000000000000000)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\myname/.ssh/id_rsa
debug3: no such identity: C:\\Users\\myname/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\myname/.ssh/id_dsa
debug3: no such identity: C:\\Users\\myname/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\myname/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\myname/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\myname/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\myname/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\myname/.ssh/id_xmss
debug3: no such identity: C:\\Users\\myname/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
myname@subname@150.25.10.10@20.35.10.10's password: *****WHERE I ENTER MYPASSWORD*****
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 20.35.10.10 ([20.35.10.10]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-session@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
debug3: Successfully set console output code page from:437 to 65001
debug3: Successfully set console input code page from:437 to 65001
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkey-11@openssh.com want_reply 0
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 1111111
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98

This session is being recorded
Using username "subname".
Last login: Mon Jul 20 00:00:0 2020 from 10.100.100.222

>

This is the Paramiko output:

DEB [20200720-22:52:31.275] thr=9   paramiko.transport: starting thread (client mode): 0x11a11a11
DEB [20200720-22:52:31.281] thr=9   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.7.1
DEB [20200720-22:52:31.329] thr=9   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.7
INF [20200720-22:52:31.331] thr=9   paramiko.transport: Connected (version 2.0, client OpenSSH_7.7)
DEB [20200720-22:52:31.392] thr=9   paramiko.transport: kex algos:['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'] server encrypt:['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'] client mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEB [20200720-22:52:31.393] thr=9   paramiko.transport: Kex agreed: curve25519-sha256@libssh.org
DEB [20200720-22:52:31.394] thr=9   paramiko.transport: HostKey agreed: ecdsa-sha2-nistp256
DEB [20200720-22:52:31.396] thr=9   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20200720-22:52:31.397] thr=9   paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20200720-22:52:31.398] thr=9   paramiko.transport: Compression agreed: none
DEB [20200720-22:52:31.479] thr=9   paramiko.transport: kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEB [20200720-22:52:31.481] thr=9   paramiko.transport: Switch to new keys ...
DEB [20200720-22:52:31.614] thr=9   paramiko.transport: userauth is OK
INF [20200720-22:52:31.669] thr=9   paramiko.transport: Authentication (password) failed.

By `SSH`, do you mean OpenSSH `ssh`? Then whole `myName@opsadmin@120.23.23.10` is a username. — Martin Prikryl, Jul 19 '20 at 19:45
@MartinPrikryl I am connecting through OpenSSH, but primarily i connect through XShell. When i try putting that whole string as the name like : vm.connect('175.23.24.80', username='myName@opsadmin@120.23.23.10', password='passwrd'). I get the message 'authentication failed' with Paramiko — user2331566, Jul 19 '20 at 22:28
Show us `ssh` verbose output (`ssh -vvv user@host`) and [Paramiko log file](https://stackoverflow.com/q/27587716/850848). — Martin Prikryl, Jul 20 '20 at 07:18
@MartinPrikryl this is the paramiko debug log where it fails: "DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo DEBUG:paramiko.transport:Switch to new keys ... DEBUG:paramiko.transport:Adding ssh-ed25519 host key for 150.10.100.200: b'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' DEBUG:paramiko.transport:userauth is OK INFO:paramiko.transport:Authentication (password) failed." It's strange that it would say that it's the password that failed cause it's the password that openssh and xshell accepts — user2331566, Jul 20 '20 at 09:49
@MartinPrikryl do you want me to share the verbose output via the question. Let me know and I'll do that — user2331566, Jul 20 '20 at 13:07
@MartinPrikryl I've added the output from the ssh -vvv command, there is a lot of details there, let me know if that's not what you were looking for — user2331566, Jul 20 '20 at 16:03
Please post complete Paramiko log file. And consistent information. First you claim to use `myName@opsadmin@120.23.23.10@175.23.24.80`, but your OpenSSH log files show different credentials and host name. — Martin Prikryl, Jul 20 '20 at 18:22
@MartinPrikryl , I've edited the commands so they are consistent example of the output. The paramiko log is there also, I'm adding a bounty, would be great to see a result — user2331566, Jul 20 '20 at 22:09
Is still see at least three different sets of credentials and hostnames in your question. + Does your password contain any special character? — Martin Prikryl, Jul 21 '20 at 04:57
@MartinPrikryl I've combed through the output. In these comments section I mentioned another host but I can't update the comments section. In the posted question the host is always 20.35.10.10. You'll notice when I do connect there is a reference to 'Last login (timestamp) From 10.100.100.222' - this is a different ip because at this message the ip is never consistent and is always different than the connection ip specified in the ssh command (I don't understand this). And the password does have special characters — user2331566, Jul 21 '20 at 06:38
1) `myName@opsadmin@150.25.10.10` at `20.35.10.10` in `ssh` example. 2) `myName@opsadmin` at `150.25.10.10@20.35.10.10` in Paramiko example. 3) `myname@subname@150.25.10.10` at `20.35.10.10` in `ssh` log. – So it's hard to tell which of these does the Paramiko log file show. – What special characters? Did you try it with a password with no special characters? — Martin Prikryl, Jul 21 '20 at 06:44
@MartinPrikryl thanks for clarifying. I've updated this now to be consistent. It's myname@subname@150.25.10.10 for username and 20.35.10.10 for host name. The password example now has special characters, unfortunately the password has to have special characters — user2331566, Jul 21 '20 at 07:32
So you cannot at least try without them? What special characters? (*special* meaning anything else from English A-Z and 0-9). — Martin Prikryl, Jul 21 '20 at 08:04
@MartinPrikryl I could try without but it would be the wrong password. The special character is @@@ — user2331566, Jul 21 '20 at 09:36
I'm not 100% sure this is applicable, but have you tried using this: http://docs.paramiko.org/en/stable/api/proxy.html I use that successfully to set up a "nested" ssh connection through a proxy — jlucier, Jul 27 '20 at 17:03
Hello, I have a similar issue. My investigation led me to open this issue on paramiko's issue tracking system: https://github.com/paramiko/paramiko/issues/1769 — mapto, Nov 03 '20 at 14:56
I have the same problem, https://stackoverflow.com/questions/74462501/paramiko-ssh-exception-authenticationexception-username-user-idsession-idpr any solutions please !? — SALAH, Nov 25 '22 at 13:31

SSH through Paramiko to a CyberArk connection

0 Answers0