Paramiko AuthenticationException issue

It's really a old and remote issue, but I just got the same error and I think It'll be helpful to list the following info:

  1. I'm using paramiko 2.9.1 and python>=3.6, make sure your paramiko>=2.9.0
  2. cmd ssh <hostname> works fine
  3. Code below get error: AuthenticationException: Authentication failed.
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
session = client.connect("<hostname>")

From here https://github.com/paramiko/paramiko/issues/1984, I know this is a bug related to auth algorithms.

You'll need to add a disabled_algorithms param in connect(), see docs here: https://www.paramiko.org/changelog.html#2.9.0

But the changelog of 2.9.0 has a typo for disabled_algorithms, it should be:

client.connect("<hostname>", disabled_algorithms={'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']})

instead of:

client.connect("<hostname>", disabled_algorithms={'keys': ['rsa-sha2-256', 'rsa-sha2-512']})

Finally, all goes well.

Ps: Just got error Unable to agree on a pubkey algorithm for signing a 'ssh-rsa' key! for other hosts, may be downgrade paramiko below 2.9.0 is a better way.


The ssh server on the remote device denied your authentication. Make sure you're using the correct key, the public key is present in authorized_keys, .ssh directory permissions are correct, authorized_keys permissions are correct, and the device doesn't have any other access restrictions. It hard to say what's going on without logs from the server.

[EDIT] I just looked back through your output, you are authenticating using None authentication. This usually isn't ever permitted, and is used to determine what auth methods are allowed by the server. It's possible your server is using host based authentication (or none at all!).

Since auth_none() is rarely used, it's not accessible from the SSHClient class, so you will need to use Transport directly.

transport.auth_none('root') 

As a very late follow-up on this matter, I believe I was running into the same issue as waffleman, in a context of a confined network.

The hint about using auth_none on the Transport object turned out quite helpful, but I found myself a little puzzled as to how to implement that. Thing is, as of today at least, I can't get the Transport object of an SSHClient object until it has connected; but it won't connect in the first place...

So In case this is useful to others, my work around is below. I just override the _auth method.

OK, this is fragile, as _auth is a private thing. My other alternatives were - actually still are - to manually create the Transport and Channel objects, but for the time being I feel like I'm much better off with all this still under the hood.

from paramiko import SSHClient, BadAuthenticationType

class SSHClient_try_noauth(SSHClient):

    def _auth(self, username, *args):
        try:
            self._transport.auth_none(username)
        except BadAuthenticationType:
            super()._auth(username, *args)