I’m writing a script that needs to connect to a MySQL server via SSH. I have the following:
import mysql.connector
from sshtunnel import SSHTunnelForwarder
def query_mysql_server(query):
with SSHTunnelForwarder(
('ssh_server_ip', 22),
ssh_username='sshuser',
ssh_pkey='/Users/myhomedir/.ssh/id_rsa',
ssh_private_key_password='my_ssh_key_passphrase',
remote_bind_address=('127.0.0.1', 3306)
) as server:
conn = mysql.connector.connect(
host='127.0.0.1',
port=server.local_bind_port,
user='mysqluser',
password='mysqluserpass',
database='mydb'
)
cursor = conn.cursor()
cursor.execute(query)
results = cursor.fetchall()
for row in results:
print(row)
cursor.close()
conn.close()
query = "SELECT * FROM users;"
query_mysql_server(query)
Running this results in the error ERROR | Password is required for key /Users/myhomedir/.ssh/id_rsa
.
I’ve also tried using a different key (/Users/myhomedir/.ssh/app_key
), that doesn’t have a pass phrase set at all and get exactly the same error, referring to the "default" key id_rsa
, so an alternative key is not picked up for some reason.
Both keys are added to the ssh authentication agent using ssh-add
. The default key (id_rsa) is an RSA key, not an OpenSSH key.
System is macOS.
Any help is appreciated!
2
Answers
After troubleshooting it further and trying invalid SSH credentials I realized that the SSH tunnel actually works and the code hung on
mysql.connector.connect
until I addeduse_pure=True
. Seemingly this error shows up always, regardless if the connection succeeds or not. Thessh_pkey
also works as intended and will use the specified key file, but will still raise the error in question quoting the "default" keyid_rsa
.Same issue is described here: SSHTunnel searching for default private key (id_rsa) instead of the ssh_pkey I specify
Basic Requirements
Did you verify, that the connection succeeds on the commandline?
I’ve already described it here for scp, but that’s almost ssh without shell and the required prerequisites are identical as they are here.
Essentially I miss, that you state:
~/.ssh/authorized_keys
You also should be verifying that the access rights are restricted as required:
Undesired Fallback to id_rsa
As you state the basic config is done and rechecked and also the connection directly via the shell is fine, a single detail remains:
Have these successful shell checks been done with the
app_key
or with the defaultid_rsa
?If also the connect via the
app_key
succeeds, these ‘basics’ are done.Else if the
app_key
fails at the shell the key-type and key-length would be of interest.Also so a check of the
~/.ssh/config
would be of interest. But the priority lays on the log files:The key-choice might be influenced by the answers of the ssh server:
This config can be requested by the client:
Server Log
To enhance the log output the log-level should be set it to or
DEBUG
(up toDEBUG3
is possible)File: server:/etc/ssh/sshd_config
Client Log
Also the client’s log-entries for the whole authentication process would be helpfull.
At your MAC please choose "All Messages" in your Console.app
Auth-Error:
Here
man ssh
reveals a risk for a problem:Perhaps you put an eye on this?