Chapter 16 ■ telnet and SSh307There are generally three ways to prove your identity to a remote server you are contacting through SSH.• You can provide a username and password.• You can provide a username and then have your client successfully perform a public-key
challenge-response. This clever operation manages to prove that you are in possession of a
secret “identity” key without actually exposing its contents to the remote system.• You can perform Kerberos authentication. If the remote system is set up to allow Kerberos
(which seems extremely rare these days) and if you have run the kinit command-line tool to
prove your identity to one of the master Kerberos servers in the SSH server’s authentication
domain, then you should be allowed in without a password.Since the third option is rare, we will concentrate on the first two.
Using a username and password with paramiko is easy—you simply provide them in your call to the
connect() method.
client.connect('example.com', username='brandon', password=mypass)
Public-key authentication where you use ssh-keygen to create an “identity” key pair (which is typically stored in
your ~/.ssh directory) that can be used to authenticate you without a password makes the Python code even easier!
client.connect('my.example.com')
If your identity key file is stored somewhere other than in the normal ~/.ssh/id_rsa file, then you can provide its
file name—or a whole Python list of file names—to the connect() method manually.
client.connect('my.example.com', key_filename='/home/brandon/.ssh/id_sysadmin')
Of course, per the normal rules of SSH, providing a public-key identity like this will work only if you have
appended the public key in the id_sysadmin.pub file to your “authorized hosts” file on the remote end, typically
named something like this:
/home/brandon/.ssh/authorized_keys
If you have trouble getting public-key authentication to work, always check the file permissions on both your
remote .ssh directory and the files inside. Some versions of the SSH server will get upset if they see that these files are
group-readable or group-writable. Using mode 0700 for the .ssh directory and 0600 for the files inside will often make
SSH happiest. The task of copying SSH keys to other accounts has actually been automated in recent versions through
a small command that will make sure that the file permissions get set correctly for you.
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
Once the connect() method has succeeded, you are now ready to start performing remote operations, all of
which will be forwarded over the same physical socket without requiring renegotiation of the host key, your identity,
or the encryption that protects the SSH socket itself.
Shell Sessions and Individual Commands
Once you have a connected SSH client, the entire world of SSH operations is open to you. Simply by asking, you can
access remote-shell sessions, run individual commands, commence file-transfer sessions, and set up port forwarding.
You will look at each of these operations in turn.