1

I'm trying to login in an SFTP server using pysftp.

This is the code I'm testing:

import pysftp
cnopts = pysftp.CnOpts()
# cnopts.hostkeys = None
host = 'data-nz.metservice.com'
username = 'my_user'
password = 'my_passwd'
ciphers = ['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'aes192-cbc', 'aes256-cbc']
  
with pysftp.Connection(host, username=username, password=password,
                       port=9022, ciphers=ciphers, cnopts=cnopts) as sftp:
  
    sftp.listdir()

Note that:

  1. The server uses a non-standard port
  2. The server only uses the five listed ciphers to negotiate the connection, therefore this option is mandatory

This code fails because he host key cannot be found:

SSHException: No hostkey for host data-nz.metservice.com found.

I have read this question, and I have successfully used the workaroud of setting cnopts.hostkeys=None (see commented out line in my code). But obviously I'd like to remove this security flaw. However I don't know how to cope this exception. I have logged in using plain sftp to make sure that the required line is added to my known_hosts. This action actually added two lines (whose content is not fully clear to me, as there is not explicit reference to the the URL, but anyway...), and now sftp does not complain:

|1|l+HfDGPUhea+8cUzCS+jq2HGcBg=|XMWhbkgujRtW1lJ4E93sTidUiCs= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8N65MCdnbHjaEDxkZPPq1QO0RLwP3cdm9Gb9BAMS0mFH39d7/yHIerA6yFZRW27u3NClI7V1F3hDuheoCUomeF9Q9ioaeQ2dlX27hmGf611RpSfI/vGgnmipHYzzHsCIJi0LxuowCouKNw8g1v1e2VzsVWFPaq+cDeuUpDwpBKWnxQUWN7U9mzN1k0sDALimWOzhfQmXtCzPkHqERUcPpdU7/zWP8Xk9H7FQxgiPFa+EC5xuCzn01CcJppQ8VBqL9R6SNNP/d9ymQWh3cotXe6sj5gt2MdfbAUfxddQITW1rU+LSOkG21QPMq0VBDJwWf9RpqhnqcvusZIFVGyOsn
|1|uILdQCq4UAlxnruPlWnb7vwpWbc=|AOjbzHHXJ44ibhLVJJSGk++ep+U= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8N65MCdnbHjaEDxkZPPq1QO0RLwP3cdm9Gb9BAMS0mFH39d7/yHIerA6yFZRW27u3NClI7V1F3hDuheoCUomeF9Q9ioaeQ2dlX27hmGf611RpSfI/vGgnmipHYzzHsCIJi0LxuowCouKNw8g1v1e2VzsVWFPaq+cDeuUpDwpBKWnxQUWN7U9mzN1k0sDALimWOzhfQmXtCzPkHqERUcPpdU7/zWP8Xk9H7FQxgiPFa+EC5xuCzn01CcJppQ8VBqL9R6SNNP/d9ymQWh3cotXe6sj5gt2MdfbAUfxddQITW1rU+LSOkG21QPMq0VBDJwWf9RpqhnqcvusZIFVGyOsn

But still the host key seems not to be acknowledged from Python. Any idea what is wrong with my program?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Pythonist
  • 1,937
  • 1
  • 14
  • 25

1 Answers1

0

I guess the problem is that pysftp do not support custom ports when looking up the host key in the known_hosts file.

Add an entry like this:

data-nz.metservice.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8N65MCdnbHjaEDxkZPPq1QO0RLwP3cdm9Gb9BAMS0mFH39d7/yHIerA6yFZRW27u3NClI7V1F3hDuheoCUomeF9Q9ioaeQ2dlX27hmGf611RpSfI/vGgnmipHYzzHsCIJi0LxuowCouKNw8g1v1e2VzsVWFPaq+cDeuUpDwpBKWnxQUWN7U9mzN1k0sDALimWOzhfQmXtCzPkHqERUcPpdU7/zWP8Xk9H7FQxgiPFa+EC5xuCzn01CcJppQ8VBqL9R6SNNP/d9ymQWh3cotXe6sj5gt2MdfbAUfxddQITW1rU+LSOkG21QPMq0VBDJwWf9RpqhnqcvusZIFVGyOsn

Or use Paramiko directly (pysftp is a wrapper around Paramiko), as Paramiko implements the host key lookup with custom port correctly.

Some background: The codes at the beginning of your original known_hosts are hashed host[:port] identifiers. Pysftp does not use port when looking up the entry, so it does not find the correct one. If you add fake (hashed or not) entry without the custom port, pysftp will be able to find it.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992