Connect with Python Paramiko to SSH server that in addition to password prompt requires submitting an keyboard interactive banner with Enter key

Using PuTTY command line, I connect with unix host which is under PAM context.

The connection string is

in PuTTY command line I have used the below

putty.exe -ssh domain/[email protected]@[email protected] 4422 -pw xxx

This will open the PuTTY SSH Session to an host and logins. In PuTTY console it shows the username as domain/[email protected]@unix-host

I want to perform the same through SSH library Paramiko. I have kept pam-load-balancer-address as my host and 4422 as port and domain/[email protected]@unix-host as my username. In Paramiko it gives an error message

AuthenticationException: Authentication failed.

In PuTTY ssh it was successful and in Paramiko or robotframework-sshlibrary I can’t login the host. Please advice on how to login the host where the username has many @. Thanks

enter image description here

PuTTY session

Putty session

PuTTY Event log:

Event Log

Paramiko log:

DEB [20210330-17:27:49.113] thr=1   paramiko.transport: starting thread (client mode): 0x3d82d30
DEB [20210330-17:27:49.113] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.7.2
DEB [20210330-17:27:49.113] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-PBPS-SM-1.0.0
INF [20210330-17:27:49.113] thr=1   paramiko.transport: Connected (version 2.0, client PBPS-SM-1.0.0)
DEB [20210330-17:27:49.217] thr=1   paramiko.transport: kex algos:['curve25519-sha256', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1'] server key:['ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa'] client encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr'] server encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr'] client mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEB [20210330-17:27:49.218] thr=1   paramiko.transport: Kex agreed: ecdh-sha2-nistp256
DEB [20210330-17:27:49.218] thr=1   paramiko.transport: HostKey agreed: ssh-ed25519
DEB [20210330-17:27:49.218] thr=1   paramiko.transport: Cipher agreed: aes128-ctr
DEB [20210330-17:27:49.218] thr=1   paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20210330-17:27:49.218] thr=1   paramiko.transport: Compression agreed: none
DEB [20210330-17:27:49.225] thr=1   paramiko.transport: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
DEB [20210330-17:27:49.225] thr=1   paramiko.transport: Switch to new keys ...
DEB [20210330-17:27:49.226] thr=2   paramiko.transport: Adding ssh-ed25519 host key for [xxx-pam2.xxx.co.uk]:4422: b'3f537ba214609f1911ba04226de23df7'
DEB [20210330-17:27:49.246] thr=1   paramiko.transport: userauth is OK
INF [20210330-17:27:49.246] thr=1   paramiko.transport: Authentication (password) failed.
DEB [20210330-17:27:49.253] thr=1   paramiko.transport: EOF in transport thread

Putty with keyboard interactive session

PuTTY Event Log without -pw:

2021-03-30 17:39:43 Looking up host "xxx-pam1.xxx.co.uk" for SSH connection
2021-03-30 17:39:43 Connecting to 10.34.37.244 port 4422
2021-03-30 17:39:43 We claim version: SSH-2.0-PuTTY_Release_0.74
2021-03-30 17:39:43 Remote version: SSH-2.0-PBPS-SM-1.0.0
2021-03-30 17:39:43 Using SSH protocol version 2
2021-03-30 17:39:43 No GSSAPI security context available
2021-03-30 17:39:43 Doing ECDH key exchange with curve nistp256 and hash SHA-256 (unaccelerated)
2021-03-30 17:39:43 Server also has ecdsa-sha2-nistp256/ecdsa-sha2-nistp384/ecdsa-sha2-nistp521/ssh-rsa host keys, but we don't know any of them
2021-03-30 17:39:43 Host key fingerprint is:
2021-03-30 17:39:43 ssh-ed25519 255 32:2f:d2:0b:ba:f4:50:7f:01:42:59:bd:47:17:d3:91
2021-03-30 17:39:43 Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
2021-03-30 17:39:43 Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
2021-03-30 17:39:43 Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
2021-03-30 17:39:43 Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
2021-03-30 17:39:43 Attempting keyboard-interactive authentication
2021-03-30 17:40:01 Access granted
2021-03-30 17:40:01 Opening main session channel
2021-03-30 17:40:02 Opened main channel
2021-03-30 17:40:02 Allocated pty
2021-03-30 17:40:02 Started a shell/command

Source code

import paramiko
import logging
import Interactive

def connect_pam_host():
    logging.basicConfig();
    # logging.getLogger('Paramiko').setLevel(logging.INFO);
    paramiko.util.log_to_file('paramiko.log', logging.WARNING);
    ssh = paramiko.SSHClient();
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy());
    ssh.connect(hostname='xxx-pam2.xxx.co.uk', port=4422, username='netdom\[email protected]@utvweccn03',
                password='[email protected]');
    print('Success');


# This is a sample Python script.

# Press Shift+F10 to execute it or replace it with your code.
# Press Double Shift to search everywhere for classes, files, tool windows, actions, and settings.

def print_hi(name):
    # Use a breakpoint in the code line below to debug your script.
    print(f'Hi, {name}')  # Press Ctrl+F8 to toggle the breakpoint.


# Press the green button in the gutter to run the script.
if __name__ == '__main__':
    print_hi('PyCharm')
    connect_pam_host()

Answer

Your server seems to issue two keyboard-interactive authentication challenges

  • First a prompt for a password
  • Second a banner with no prompts.

So you will have to do something like this:

def handler(title, instructions, fields):
    if len(fields) == 1:
        return [password]
    else:
        return []

transport = paramiko.Transport('example.com') 
transport.connect(username='myuser')
transport.auth_password(username, password):
transport.auth_interactive(username, handler)

Some references:


Further, as you have find out, you need to escape the in the username.