How to resolve BadHostKeyException with paramiko?

Question

I have following code to connect to a linux box and run a command, But I'm facing BadHostKeyException even after I have added WarningPolicy and AutoAddPolicy.

            print("---CCCCCCCCCCCCC---",commands)
            client = paramiko.SSHClient()
            client.load_system_host_keys()
            client.set_missing_host_key_policy(paramiko.WarningPolicy)
            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
            client.connect(ipAddress, port=22, username=sshUser, password=sshPassword)
            self.logger.info("executeOnRemoteShell - Created SSH connection to " + ipAddress)
            stdin, stdout, stderr = client.exec_command(commands)
            result = str(stdout.readlines()[0].rstrip())

not sure what I'm missing here, below is the full error.

paramiko.ssh_exception.BadHostKeyException: Host key for server '45.32.23.23' does not match: got 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGcWA6JnHBbVIGsdC+USD2GOxWNy+R8hiiFiLse75rs1JRTWN8i3ol3yZ4OhFhQl4upZ7f5/scFzw4DqoMrhRIE=', expected 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJSELS2mT8SED8I7QFf5YkkvD5n4LCHUkX4ykeemwuqGHOBVHixQMBtKWF9lFuKFhKOCNsifRPK1FfkT23glapI

Answer 1

Quick reply:

According to a discussion on github the solution may be to get rid of client.load_system_host_keys()

If you're using SSHClient connect(), then don't call load_host_keys(),

See in the paramiko docs regarding load_system_host_keys:

If filename is left as None, an attempt will be made to read keys from the user’s local “known hosts” file, as used by OpenSSH, and no exception will be raised if the file can’t be read.

I had this issue in the past. For instance, if you have a server and normally use some SSH connection, which means that in your known_hosts file, the expected identity will be stored, but then you to connect via paramiko, to a different SSH server on the server - for instance the paramiko one - then your paramiko client (due to the use of the "load_system_host_keys" line), uses the data known from the regular SSH server for identification, and those keys may not match. I solved this by not using anything from the regular SSH processes and created keys (on both sides) for paramiko only.

More generally, paramiko.ssh_exception.BadHostKeyException doesn't mean the host key is missing, but that it either changed or that whatever your client thinks the host key should have been, is inaccurate. It's a security measure to protect against Man-In-The-Middle attack scenarios. The long strings in the error message are base64 encoded non-ascii versions of what your client expected and what the host offers.