Wednesday 16 August 2023

What might cause paramiko 'Invalid Packet Blocking' on switch to new keys?

I am attempting to create a paramiko sftp server that intigrates with authentication.

I am using WinSCP as a sftp client and finding that the connection drops at the point of accepting the channel, but after initial connection has been made.

The code to accept is:

        sock.bind((local_ip, 22))
        sock.listen(10)

        # Configure Paramiko logging
        paramiko.common.logging.basicConfig(level=paramiko.common.DEBUG)

        # Configure Python logging to save logs to a file
        logging.basicConfig(filename='paramiko_debug.log', level=logging.DEBUG)

        # Redirect Paramiko logs to Python logging
        paramiko.common.logging.getLogger().addHandler(logging.FileHandler('paramiko_debug.log'))

        sftp_logger.info('Initial Server Set-Up Complete')

        # Serve indefinitely
        while True:
            
            conn, addr = sock.accept()

            sftp_logger.info(f"Accepted Connection from {str(addr)}")

            # Generate a server key and set up basic server
            server_key = paramiko.RSAKey.generate(2048)

            sftp_logger.info('Generated Key')
            transport = paramiko.Transport((conn))
            sftp_logger.debug(f"Initiated Transport for {str(addr)}")
            transport.add_server_key(server_key)
            sftp_logger.debug(f"Bound Key for {str(addr)}")
            transport.set_subsystem_handler('sftp', paramiko.SFTPServer, Custom_Paramiko_SFTP)
            sftp_logger.debug(f"Added Subsystem handler for {str(addr)}")
            server = paramiko.SFTPServerInterface
            transport.start_server(server=server)
            sftp_logger.debug(f"Started Server for {str(addr)}")

            channel = transport.accept()
            sftp_logger.debug(f"Channel Accepted")

            while transport.is_active():
                time.sleep(1)

And the error generated is:

=== Key exchange agreements === Kex: curve25519-sha256@libssh.org HostKey: rsa-sha2-512 Cipher: aes256-ctr MAC: hmac-sha1 Compression: none === End of kex handshake === kex engine KexCurve25519 specified hash_algo Switch to new keys ... Started Server for ('31.117.38.192', 56391) Exception (server): Invalid packet blocking Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/paramiko/transport.py", line 2129, in run ptype, m = self.packetizer.read_message() File "/usr/local/lib/python3.10/dist-packages/paramiko/packet.py", line 487, in read_message raise SSHException("Invalid packet blocking") paramiko.ssh_exception.SSHException: Invalid packet blocking

I do not understand what exactly is causing the issue here? Do I need to provide an additional key or ssl keys that we have generated previously?

WinSCP shows an authentication error at it's end, so I thought that the issue might be with our authentication method which utilises our username and password method and such paramiko.SFTPServer and paramiko.ServerInterface have been extended. This might be the issue, but from the logs I suspect not but I am providing the code for completeness.

I am very much a begginner to paramiko and more high level networking and I'm only just starting to get a handle on what makes it 'tick'. (I've worked with TCP over ssl sockets before for low level custom functionality)

What might be causing the issue here? Any help would be greatly appreciated.

EXTRA INFO:

  • CUSTOM AUTHENTICATION IMPLEMENTATION:

    class Custom_Paramiko_SFTP(paramiko.SFTPServer): def init(self, channel, name, server, *args, **kwargs): super().init(channel, name, server, *args, **kwargs)

      def _check_auth(self, username, password):
      # Access the stored authenticate attribute of database interface that verifies if the user is 
      # a known and registered HADU user.
      if self.database.authenticate(password, username):
          return paramiko.AUTH_SUCCESSFUL
      return paramiko.AUTH_FAILED

    class Underlying_SSH_Server(paramiko.ServerInterface): def init(self): pass

      def check_channel_request(self, kind, chanid):
      if kind == "session":
          return paramiko.OPEN_SUCCEEDED
      return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED

  def check_auth_password(self, username, password):
      return self._check_auth(username, password)

  def _check_auth(self, username, password):
      # Access the stored authenticate attribute of database interface that verifies if the user is 
      # a known and registered HADU user.
      if self.database.authenticate(password, username):
          sftp_logger.info(f"Attempting authentication for {username}")
          return paramiko.AUTH_SUCCESSFUL
      return paramiko.AUTH_FAILED


from What might cause paramiko 'Invalid Packet Blocking' on switch to new keys?
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)