Thank you Jeff
We've configured the logs as you suggested and discovered some issues regarding
OpenBSD 4.9 that maybe is worthy to shared with others ("crazy" guys that like
to suffer :) that plan to use OpenBSD with Fabric:
Since August 2010 (http://api.libssh.org/rfc/PROTOCOL) OpenSSH started to
support Elliptic Curve Cryptography and it seems that, when OpenBSD 4.9
machines are involved (our case) in SSH public-key negotiation, this is the
preferred option instead of the traditional ssh-rsa. This crashes Paramiko
probably because it doesn't support this kind of cryptography yet. Manual
overwriting the public key on the known_hosts file, replacing the elliptic
curve key by the rsa one seems to work.
For the interested below are our fabfile test, our known_hosts file and the
Fabric/Paramiko output in cases of success and failure.
Regards
Antonio
<fabfile.py>
from fabric.api import task,run,settings,env
from pprint import pprint
import paramiko
import logging
logger = paramiko.util.get_logger('paramiko')
logger.setLevel(logging.DEBUG)
logger.addHandler(logging.StreamHandler())
env.shell = '/usr/local/bin/bash -l -c'
env.reject_unknown_hosts = True
@task(default=True)
def test():
run('hostname')
<~/.ssh/known_hosts>
#10.0.1.2 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL7VyT5ufRzymozhp1mynf4+dDksru3BkQMd9dWbEOj+NL0aEKF5NXqoVKxVFwrwucdoErsEwv4NRxaWxJiVG4E=
10.0.1.2 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDblWteZNvVHs7yMLWhqL6rRKcTCE2i8utafN/F3W+cL4jDy7Ca5L1e/4vxBNRWqYvRZKLazDYeP8dxGbFoGwfjpa70Kgzmwd20RDsTeiuqHACuWWQQ/p/ben+0eOkrPExSJ2cPD8HtjPnRMw14i3X4EH9vya54UL0t+k9jMzvBOfm+hoeMv4yPUwkcUGG0J/CAnotE66mqd8jpZj9AYTJEP50H5Fj6CKwFuMOz9CIie2j9vavwnJubZ/rqjlSKrov9cIE6X3mhk14U+CY0DSqP9f0oWkmLQv6RmHETaAnVzTZyHVefkkHdocfVOAbuB/3EFlpPsmn0yxfTM4K7+/W/
<failure output with ecdsa-sha2-nistp256 key>
[fabric@fabric01:~/fabric]# fab -H 10.0.1.2
[10.0.1.2] Executing task 'test'
[10.0.1.2] run: hostname
starting thread (client mode): 0x84c856acL
Connected (version 2.0, client OpenSSH_5.8)
kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521',
'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1',
'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server
key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr',
'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc',
'3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc',
'arcfour', '[email protected]'] server encrypt:['aes128-ctr',
'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc',
'3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc',
'arcfour', '[email protected]'] client mac:['hmac-md5', 'hmac-sha1',
'[email protected]', 'hmac-ripemd160', '[email protected]',
'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1',
'[email protected]', 'hmac-ripemd160', '[email protected]',
'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', '[email protected]']
server compress:['none', '[email protected]'] client lang:[''] server lang:['']
kex follows?False
Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local
aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1;
compression: local none, remote none
Switch to new keys ...
Rejecting ssh-rsa host key for 10.0.1.2: 247ad0cd4e224fba259d694dba534c96
[10.0.1.2] Login password:
starting thread (client mode): 0x84c85e0cL
Connected (version 2.0, client OpenSSH_5.8)
kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521',
'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1',
'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server
key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr',
'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc',
'3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc',
'arcfour', '[email protected]'] server encrypt:['aes128-ctr',
'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc',
'3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc',
'arcfour', '[email protected]'] client mac:['hmac-md5', 'hmac-sha1',
'[email protected]', 'hmac-ripemd160', '[email protected]',
'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1',
'[email protected]', 'hmac-ripemd160', '[email protected]',
'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', '[email protected]']
server compress:['none', '[email protected]'] client lang:[''] server lang:['']
kex follows?False
Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local
aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1;
compression: local none, remote none
Switch to new keys ...
Rejecting ssh-rsa host key for 10.0.1.2: 247ad0cd4e224fba259d694dba534c96
Fatal error: Unknown server 10.0.1.2
Aborting.
EOF in transport thread
EOF in transport thread
<success output with RSA key>
[fabric@fabric01:~/fabric]# fab -H 10.0.1.2
[10.0.1.2] Executing task 'test'
[10.0.1.2] run: hostname
starting thread (client mode): 0x8205c72cL
Connected (version 2.0, client OpenSSH_5.8)
kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521',
'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1',
'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server
key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr',
'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc',
'3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc',
'arcfour', '[email protected]'] server encrypt:['aes128-ctr',
'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc',
'3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc',
'arcfour', '[email protected]'] client mac:['hmac-md5', 'hmac-sha1',
'[email protected]', 'hmac-ripemd160', '[email protected]',
'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1',
'[email protected]', 'hmac-ripemd160', '[email protected]',
'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', '[email protected]']
server compress:['none', '[email protected]'] client lang:[''] server lang:['']
kex follows?False
Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local
aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1;
compression: local none, remote none
Switch to new keys ...
Trying SSH agent key 95bba2ccd9d2a304520c9e89a7c61d1b
userauth is OK
Authentication (publickey) successful!
[chan 1] Max packet in: 34816 bytes
[chan 1] Max packet out: 32768 bytes
Secsh channel 1 opened.
[chan 1] Sesch channel 1 request ok
[chan 1] Sesch channel 1 request ok
[chan 1] EOF received (1)
[chan 1] EOF sent (1)
[10.0.1.2] out: fabric02
[10.0.1.2] out:
Done.
EOF in transport thread
Disconnecting from 10.0.1.2... done.
[fabric@fabric01:~/fabric]#
On 21/10/2011, at 02:25, Jeff Forcier wrote:
> 2011/10/20 Antônio Theóphilo <[email protected]>:
>> (what shouldn't because we are using ssh-agent) and even when the correct
>> password is entered, we receive "Fatal error: Unknown server 10.0.1.2"
>> message (obviously 10.0.1.2 is on ~/.ssh/known_hosts). Is Fabric looking for
>> a different known_hosts file? Below are my versions and the env dict output:
>
> Both of these features are handled in the Paramiko library; it's
> possible a permissions or related issue is preventing the
> Fabric/Paramiko process from accessing your SSH files.
>
> Paramiko logs a fair amount of stuff when it runs; try enabling the
> stdlib logging module in your fabfile, setting the level to DEBUG (see
> the Python docs for examples of this, there's one near the top of the
> logging docs page), and see if anything useful comes out.
>
> There's not a lot we can do on our end as we simply pass the basic
> "enable/disable" settings into Paramiko when we run.
>
> Good luck,
> Jeff
>
> --
> Jeff Forcier
> Unix sysadmin; Python/Ruby engineer
> http://bitprophet.org
Antônio Theóphilo
_______________________________________________
Fab-user mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/fab-user
