Thank you Jeff
We've configured the logs as you suggested and discovered some issues regarding OpenBSD 4.9 that maybe is worthy to shared with others ("crazy" guys that like to suffer :) that plan to use OpenBSD with Fabric:
Since August 2010 (http://api.libssh.org/rfc/PROTOCOL) OpenSSH started to support Elliptic Curve Cryptography and it seems that, when OpenBSD 4.9 machines are involved (our case) in SSH public-key negotiation, this is the preferred option instead of the traditional ssh-rsa. This crashes Paramiko probably because it doesn't support this kind of cryptography yet. Manual overwriting the public key on the known_hosts file, replacing the elliptic curve key by the rsa one seems to work.
For the interested below are our fabfile test, our known_hosts file and the Fabric/Paramiko output in cases of success and failure.
Regards
Antonio
<fabfile.py>
from fabric.api import task,run,settings,env
from pprint import pprint
import paramiko
import logging
logger = paramiko.util.get_logger('paramiko')
logger.setLevel(logging.DEBUG)
logger.addHandler(logging.StreamHandler())
env.shell = '/usr/local/bin/bash -l -c'
env.reject_unknown_hosts = True
@task(default=True)
def test():
run('hostname')
<~/.ssh/known_hosts>
#10.0.1.2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL7VyT5ufRzymozhp1mynf4+dDksru3BkQMd9dWbEOj+NL0aEKF5NXqoVKxVFwrwucdoErsEwv4NRxaWxJiVG4E=
10.0.1.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDblWteZNvVHs7yMLWhqL6rRKcTCE2i8utafN/F3W+cL4jDy7Ca5L1e/4vxBNRWqYvRZKLazDYeP8dxGbFoGwfjpa70Kgzmwd20RDsTeiuqHACuWWQQ/p/ben+0eOkrPExSJ2cPD8HtjPnRMw14i3X4EH9vya54UL0t+k9jMzvBOfm+hoeMv4yPUwkcUGG0J/CAnotE66mqd8jpZj9AYTJEP50H5Fj6CKwFuMOz9CIie2j9vavwnJubZ/rqjlSKrov9cIE6X3mhk14U+CY0DSqP9f0oWkmLQv6RmHETaAnVzTZyHVefkkHdocfVOAbuB/3EFlpPsmn0yxfTM4K7+/W/
<failure output with ecdsa-sha2-nistp256 key>
address@hidden:~/fabric]# fab -H 10.0.1.2
[10.0.1.2] Executing task 'test'
[10.0.1.2] run: hostname
starting thread (client mode): 0x84c856acL
Connected (version 2.0, client OpenSSH_5.8)
kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] client mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'address@hidden'] server compress:['none', 'address@hidden'] client lang:[''] server lang:[''] kex follows?False
Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
Switch to new keys ...
Rejecting ssh-rsa host key for 10.0.1.2: 247ad0cd4e224fba259d694dba534c96
[10.0.1.2] Login password:
starting thread (client mode): 0x84c85e0cL
Connected (version 2.0, client OpenSSH_5.8)
kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] client mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'address@hidden'] server compress:['none', 'address@hidden'] client lang:[''] server lang:[''] kex follows?False
Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
Switch to new keys ...
Rejecting ssh-rsa host key for 10.0.1.2: 247ad0cd4e224fba259d694dba534c96
Fatal error: Unknown server 10.0.1.2
Aborting.
EOF in transport thread
EOF in transport thread
<success output with RSA key>
address@hidden:~/fabric]# fab -H 10.0.1.2
[10.0.1.2] Executing task 'test'
[10.0.1.2] run: hostname
starting thread (client mode): 0x8205c72cL
Connected (version 2.0, client OpenSSH_5.8)
kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] client mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'address@hidden'] server compress:['none', 'address@hidden'] client lang:[''] server lang:[''] kex follows?False
Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
Switch to new keys ...
Trying SSH agent key 95bba2ccd9d2a304520c9e89a7c61d1b
userauth is OK
Authentication (publickey) successful!
[chan 1] Max packet in: 34816 bytes
[chan 1] Max packet out: 32768 bytes
Secsh channel 1 opened.
[chan 1] Sesch channel 1 request ok
[chan 1] Sesch channel 1 request ok
[chan 1] EOF received (1)
[chan 1] EOF sent (1)
[10.0.1.2] out: fabric02
[10.0.1.2] out:
Done.
EOF in transport thread
Disconnecting from 10.0.1.2... done.
address@hidden:~/fabric]#
On 21/10/2011, at 02:25, Jeff Forcier wrote:
2011/10/20 Antônio Theóphilo <address@hidden>:(what shouldn't because we are using ssh-agent) and even when the correct password is entered, we receive "Fatal error: Unknown server 10.0.1.2" message (obviously 10.0.1.2 is on ~/.ssh/known_hosts). Is Fabric looking for a different known_hosts file? Below are my versions and the env dict output:
Both of these features are handled in the Paramiko library; it's
possible a permissions or related issue is preventing the
Fabric/Paramiko process from accessing your SSH files.
Paramiko logs a fair amount of stuff when it runs; try enabling the
stdlib logging module in your fabfile, setting the level to DEBUG (see
the Python docs for examples of this, there's one near the top of the
logging docs page), and see if anything useful comes out.
There's not a lot we can do on our end as we simply pass the basic
"enable/disable" settings into Paramiko when we run.
Good luck,
Jeff
--
Jeff Forcier
Unix sysadmin; Python/Ruby engineer
http://bitprophet.org
Antônio Theóphilo
![]()