使用pysftp验证主机密钥 | 使用pysftp验证主机密钥

本文介绍了使用pysftp验证主机密钥的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在使用pysftp编写程序，它想针对C:\Users\JohnCalvin\.ssh\known_hosts验证SSH主机密钥.

I am writing a program using pysftp, and it wants to verify the SSH host Key against C:\Users\JohnCalvin\.ssh\known_hosts.

使用PuTTY，终端程序将其保存到注册表[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys].

Using PuTTY, the terminal program is saving it to the Registry [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys].

如何调和pysftp和PuTTY之间的区别?

How do I reconcile the difference between pysftp and PuTTY?

我的代码是:

import pysftp as sftp

def push_file_to_server():
    s = sftp.Connection(host='138.99.99.129', username='root', password='*********')
    local_path = "testme.txt"
    remote_path = "/home/testme.txt"

    s.put(local_path, remote_path)
    s.close()

push_file_to_server()

我收到的错误响应是:

推荐答案

请勿设置cnopts.hostkeys = None (如第二个最受好评的答案所示)，除非您不关心安全性.您失去了针对中间人攻击的保护这样做.

使用CnOpts.hostkeys(返回 HostKeys )管理受信任的主机密钥.

Use CnOpts.hostkeys (returns HostKeys) to manage trusted host keys.

cnopts = pysftp.CnOpts(knownhosts='known_hosts')

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

，其中known_hosts包含服务器公钥，格式如下:

where the known_hosts contains a server public key[s] in a format like:

example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

如果您不想使用外部文件，也可以使用

If you do not want to use an external file, you can also use

from base64 import decodebytes
# ...

keydata = b"""AAAAB3NzaC1yc2EAAAADAQAB..."""
key = paramiko.RSAKey(data=decodebytes(keydata))
cnopts = pysftp.CnOpts()
cnopts.hostkeys.add('example.com', 'ssh-rsa', key)

with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:

尽管从pysftp 0.2.9开始，此方法将发出警告，似乎是一个错误:
无法加载主机密钥"使用pysftp连接到SFTP服务器时发出警告

Though as of pysftp 0.2.9, this approach will issue a warning, what seems like a bug:
"Failed to load HostKeys" warning while connecting to SFTP server with pysftp

以这种格式检索主机密钥的一种简单方法是使用OpenSSH ssh-keyscan :

An easy way to retrieve the host key in this format is using OpenSSH ssh-keyscan:

$ ssh-keyscan example.com
# example.com SSH-2.0-OpenSSH_5.3
example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

您还可以使应用程序自动执行以下操作:
将Paramiko AutoAddPolicy与pysftp一起使用
(它将自动将新主机的主机密钥添加到known_hosts，但是对于已知的主机密钥，它将不接受更改的密钥)

You can also make the application do the same automatically:
Use Paramiko AutoAddPolicy with pysftp
(It will automatically add host keys of new hosts to known_hosts, but for known host keys, it will not accept a changed key)

尽管出于绝对的安全性考虑，但是如果您尚未受到攻击，则不能确保无法远程获取主机密钥.

Though for an absolute security, you should not retrieve the host key remotely, as you cannot be sure, if you are not being attacked already.

请参阅我的文章在哪里可以获取用于授权服务器的SSH主机密钥指纹?
用于我的WinSCP SFTP客户端，但是那里的大多数信息通常都是有效的.

See my article Where do I get SSH host key fingerprint to authorize the server?
It's for my WinSCP SFTP client, but most information there is valid in general.

如果仅需要使用指纹来验证主机密钥，请参见 Python-pysftp/paramiko-使用指纹来验证主机密钥.

If you need to verify the host key using its fingerprint only, see Python - pysftp / paramiko - Verify host key using its fingerprint.

这篇关于使用pysftp验证主机密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！