Paramiko no existing session workaround #1491
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
Due to a long-standing Paramiko bug, SSH login can fail when multiple keys are loaded in your SSH agent, depending on how strict the SSH server is.
If the first key Paramiko tries is invalid, it transmits an extra SERVICE_REQUEST before the second key. Since this is incorrect behavior (according to Damien Miller from OpenSSH (golang/go#75268 (comment)), citing the RFC), some SSH servers will reject it. This results in Paramiko raising a “No existing session” error on the second key attempt.
I use ssh2lxd (https://github.com/dfaerch/ssh2lxd) to allow pyinfra to SSH into Incus containers trough a single ssh-daemon running on the host. It’s written in Go and uses the official Go SSH library, which, unfortunately for me, follows the RFC. Damien Miller’s comment above was written in an issue on said library only a month ago, and he additionally notes:
So we might eventually see an OpenSSH release that triggers the same Paramiko bug, suddenly affecting many more users.
Both remain open as of Oct 2025.
At that speed, I don’t know if we can expect a quick response even if OpenSSH tightens this, so I propose a fallback that fixes the issue right now for the few affected and buys time between any OpenSSH change and a Paramiko fix.
My proposed solution
I’ve implemented a fallback that triggers when SSHException is raised during connect and the message is “No existing session.” In that case, pyinfra gathers the agent keys and, in a loop, opens a fresh connection and tries to authenticate with each remaining key.
Opening a new connection per key is slower and not especially elegant, but it avoids having to patch Paramiko. And if you don't hit the bug, everything works as before.
3.x
at this time)scripts/dev-test.sh
)scripts/dev-lint.sh
)