I sent this to the mailing list several months ago, but I never got a response.
I'm experiencing trouble trying to get a paramiko.SSHClient to connect without trying to access my private key.
I realize that there is a parameter, look_for_keys, which is True by default. I am setting it to False and am still receiving prompts to decrypt my private key. If GNOME has already placed the key on its keyring for the current session, paramiko will access the key and presumably not use it, because I am able to successfully make connections to my local machine in addition to remote SSH-enabled servers.
Here is code that reproduces my problem without fail on two (very similar, but separate) machines:
import getpass
import paramiko
username = 'brian'
password = getpass.getpass()
host = 'localhost'
port = 22
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.set_missing_host_key_policy(paramiko.WarningPolicy())
ssh_client.connect(host, port, username, password, look_for_keys=False)
After the final line in the code above, I am prompted to decrypt my key if GNOME doesn't already have it. When I cancel the prompt, I receive the following traceback from my IPython console:
SSHException Traceback (most recent call last)
/home/brian/<ipython console> in <module>()
/usr/local/lib/python2.6/dist-packages/paramiko/client.pyc in connect(self, hostname, port, username, password, pkey, key_filename, timeout, allow_agent, look_for_keys)
325 else:
326 key_filenames = key_filename
--> 327 self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
328
329 def close(self):
/usr/local/lib/python2.6/dist-packages/paramiko/client.pyc in _auth(self, username, password, pkey, key_filenames, allow_agent, look_for_keys)
479 # if we got an auth-failed exception earlier, re-raise it
480 if saved_exception is not None:
--> 481 raise saved_exception
482 raise SSHException('No authentication methods available')
483
SSHException: No existing session
I began looking for the problem but didn't delve too deeply. In paramiko/client.py, on line 478 (http://github.com/robey/paramiko/blob/master/paramiko/client.py#L478), there seems to be a function call which eventually leads to some function call that I assume causes the private key to be solicited.
Both of the machines that I mentioned always reproduce this problem are running Ubuntu 10.04 LTS (Lucid Lynx) x86_64 with Python 2.6.5, the version from the Ubuntu repositories. I have not tested it under any other environments. Paramiko is 1.7.6.
Am I doing something incorrectly, or is this a bug? Like I said, it does connect, but probably not with the SSH key, because none of the machines that I've connected to with paramiko used that form of authentication.
With further testing, I've discovered that public key authentication is used even if look_for_keys is False; it is not just opened and ignored. I set up another computer to only accept authentication over SSH via keys, and ssh_client.connect(host, port, username, password, look_for_keys=False)
, when the private key file was unlocked, successfully connected to the host.