Paramiko gives AuthenticationException but subprocess ssh connection works

Question

I am using private key to authenticate to a server:

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(host='some_host', username='root', key_file='path/to/my/private_key.txt', timeout=10, auth_timeout=3)

This code base gives the following exception (Exception only for few servers, others work):

paramiko.ssh_exception.AuthenticationException: Authentication failed.

But if I use subprocess or manual ssh with the same key connection is made:

import subprocess

host = 'some_host'
subprocess.Popen(f"ssh -i path/to/my/private_key.txt root@{host}")

What would be the difference here ?

Updated code to see the output:

Ssh output. It shows what we see after login to a server :

Access to this computer is prohibited unless authorised
Accessing programs or data unrelated to your job is prohibited

The full output of paramiko:

    ssh.connect(host, username=host_user, key_filename=key_file,timeout=10, auth_timeout=3)
  File "/home/username/lib/python3.6/site-packages/paramiko/client.py", line 446, in connect
    passphrase,
  File "/home/username/lib/python3.6/site-packages/paramiko/client.py", line 764, in _auth
    raise saved_exception
  File "/home/username/lib/python3.6/site-packages/paramiko/client.py", line 740, in _auth
    self._transport.auth_publickey(username, key)
  File "/home/username/lib/python3.6/site-packages/paramiko/transport.py", line 1580, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/home/username/lib/python3.6/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

SSH debug logs:

-bash-4.2$ ssh -vvv -i testkey.txt root@some_host
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /home/username/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 1: Applying options for *
debug1: /etc/ssh/ssh_config line 4: Deprecated option "rhostsauthentication"
debug1: /etc/ssh/ssh_config line 8: Deprecated option "fallbacktorsh"
debug1: /etc/ssh/ssh_config line 9: Deprecated option "usersh"
debug2: resolving "some_host" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to some_host [10.192.79.45] port 22.
debug1: Connection established.
debug1: key_load_private_type: No such file or directory
debug1: key_load_private_cert: Permission denied
debug1: key_load_private_cert: Permission denied
debug1: key_load_private_cert: Permission denied
debug1: key_load_private_cert: No such file or directory
debug1: key_load_private_type: Permission denied
debug1: key_load_private_type: Permission denied
debug1: key_load_private_type: Permission denied
debug1: key_load_private_type: No such file or directory
debug1: key_load_public: No such file or directory
debug1: identity file testkey.txt type -1
debug1: key_load_public: No such file or directory
debug1: identity file testkey.txt-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/identity type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/identity-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug1: identity file /home/username/.ssh/id_rsa_6 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_rsa_6-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/identity type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/identity-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to some_host:22 as 'root'
debug3: hostkeys_foreach: reading file "/home/username/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/username/.ssh/known_hosts:1635
debug3: load_hostkeys: loaded 1 keys from some_host
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
debug2: MACs ctos: hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:JZi0+Jy+NbhdFdVayYV29RfDxh8F/1bQFeJl4T1fbcY
debug3: hostkeys_foreach: reading file "/home/username/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/username/.ssh/known_hosts:1635
debug3: load_hostkeys: loaded 1 keys from some_host
debug3: hostkeys_foreach: reading file "/home/username/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/username/.ssh/known_hosts:1635
debug3: load_hostkeys: loaded 1 keys from 10.192.79.45
debug1: Host 'some_host' is known and matches the ECDSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:1635
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: testkey.txt ((nil)), explicit
debug2: key: /home/username/.ssh/identity ((nil)), explicit
debug2: key: /home/username/.ssh/id_dsa ((nil)), explicit
debug2: key: /home/username/.ssh/id_rsa (0x5591dfda9850), explicit
debug2: key: /home/username/.ssh/id_rsa_6 (0x5591dfdab540), explicit
debug2: key: /home/username/.ssh/identity ((nil))
debug2: key: /home/username/.ssh/id_dsa ((nil))
debug2: key: /home/username/.ssh/id_rsa (0x5591dfdab880)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
Access to this computer is prohibited unless authorised
Accessing programs or data unrelated to your job is prohibited

debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: testkey.txt
debug3: sign_and_send_pubkey: RSA SHA256:O8QjLVLzPt4Cls7l2rEF60bh0dNvWO8DnuP1MpkY8Hs
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/username/.ssh/identity
no such identity: /home/username/.ssh/identity: No such file or directory
debug1: Trying private key: /home/username/.ssh/id_dsa
no such identity: /home/username/.ssh/id_dsa: No such file or directory
debug1: Offering RSA public key: /home/username/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering RSA public key: /home/username/.ssh/id_rsa_6
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:Ogb4AluyNRi3cJChwaXbvyZAMcwKPTrdjRi5nRV34OM
debug3: sign_and_send_pubkey: RSA SHA256:Ogb4AluyNRi3cJChwaXbvyZAMcwKPTrdjRi5nRV34OM
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to some_host ([10.192.79.45]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: exec
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug1: X11 forwarding requested but DISPLAY not set
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Apr 14 13:39:51 2022 from some_host_site

Paramiko logs:

    DEBUG:paramiko.transport:starting thread (client mode): 0xceaff5c0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.6.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.4)
DEBUG:paramiko.transport:kex algos:['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'arcfour'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'arcfour'] client mac:['hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha2-256', 'hmac-sha2-512'] server mac:['hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha2-256', 'hmac-sha2-512'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: curve25519-sha256@libssh.org
DEBUG:paramiko.transport:HostKey agreed: ecdsa-sha2-nistp256
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ecdsa-sha2-nistp256 host key for some_host: b'f4f54d03a1b5ac0cc2691480dbb9f942'
DEBUG:paramiko.transport:Trying discovered key b'3899ebb48e13c841e046671c45f21985' in /home/dbdoes/prakash/testkey.txt
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Auth banner: b'Access to this computer is prohibited unless authorised\nAccessing programs or data unrelated to your job is prohibited\n\n'
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying discovered key b'e8f583c82af7909eb846c5f6614bd2e5' in /home/dbdoes/.ssh/id_rsa
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
Traceback (most recent call last):
  File "para_log.py", line 15, in <module>
    output = ssh.connect(host, username=host_user, key_filename=key_file,timeout=10, auth_timeout=3)
  File "/home/username/lib/python3.6/site-packages/paramiko/client.py", line 446, in connect
    passphrase,
  File "/home/username/lib/python3.6/site-packages/paramiko/client.py", line 764, in _auth
    raise saved_exception
  File "/home/username/lib/python3.6/site-packages/paramiko/client.py", line 740, in _auth
    self._transport.auth_publickey(username, key)
  File "/home/username/lib/python3.6/site-packages/paramiko/transport.py", line 1580, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/home/username/lib/python3.6/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

Answer 1

Thank you @martinprikryl for pointing out in comment that ssh and paramiko uses different key in the code as evident from the logs.

In ~/.ssh/config file id_rsa_6 also listed as one of the key files. But paramiko didn't know that and takes the default one ~/.ssh/id_rsa.

So we need to instruct Paramiko where the key files are if any additional keys are used.

ssh.connect(host='some_host', username='root', key_file=['path/to/my/private_key.txt', '/home/username/.ssh/id_rsa_6'], timeout=10, auth_timeout=3)

In paramiko ssh.connect method key_file argument also accepts a list of key files which can be provided as a solution for this issue.