Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSA module throws AttributeError #6

Closed
mociepka opened this issue Nov 21, 2015 · 4 comments
Closed

RSA module throws AttributeError #6

mociepka opened this issue Nov 21, 2015 · 4 comments

Comments

@mociepka
Copy link

I don't knew that error is because of Paramiko==1.16.0 but with PyCrypto it works. I am using pycryptodome==3.3.1.

Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/paramiko/transport.py", line 1744, in run
    self.kex_engine.parse_next(ptype, m)
  File "build/bdist.linux-x86_64/egg/paramiko/kex_group1.py", line 75, in parse_next
    return self._parse_kexdh_reply(m)
  File "build/bdist.linux-x86_64/egg/paramiko/kex_group1.py", line 111, in _parse_kexdh_reply
    self.transport._verify_key(host_key, sig)
  File "build/bdist.linux-x86_64/egg/paramiko/transport.py", line 1604, in _verify_key
    if not key.verify_ssh_sig(self.H, Message(sig)):
  File "build/bdist.linux-x86_64/egg/paramiko/rsakey.py", line 113, in verify_ssh_sig
    return rsa.verify(hash_obj, (sig,))
  File "/path_to_env/local/lib/python2.7/site-packages/pycryptodome-3.3.1-py2.7-linux-x86_64.egg/Crypto/PublicKey/RSA.py", line 123, in __getattr__
    raise AttributeError(attrname)
AttributeError: verify
@Legrandin
Copy link
Owner

Paramiko verifies RSA signatures in an insecure way and it does that by means of some old, questionable parts of the PyCrypto API (specifically, the method verify of an RSA key object).

PyCryptodome is (fortunately or unfortunately, depending on how you look at it) not 100% compatible to PyCrypto: I explicitly removed or modified those few APIs that are inherently dangerous (like the verify method).

I was considering submitting a PR to paramiko so that safer and less-error prone APIs already offered by PyCrypto are used instead (i.e. the Crypto.Signature package, which are also available in PyCryptodome). Until now though, this was not high on my priority list.

@mociepka
Copy link
Author

Many packages can use those "old, questionable parts", maybe adding them with DeprecationWarning will be more delicate way? Or at least more verbose error NotImplementedError('Some explanation')?

I got this error using fabric. Fabric highjacks logger so at the beginning I got AttributeError: verify with trace from logging 💢 . More verbose error message would have saved me a lot of time.

@Legrandin
Copy link
Owner

That is a good point, and raising NotImplementedError when appropriate the best solution.

@mociepka mociepka mentioned this issue Nov 26, 2015
Closed
@rockwelln
Copy link

Waiting for a cleaner solution, to make it work with paramiko, I had to make 2 things:
in lib/Crypto/PublicKey/RSA.py:

class RsaKey(object):
    ...
    def verify(self, m, sig):
        warnings.warn("verify is deprecated on RSA key", FutureWarning)
        s, = sig[:1]
        return self._encrypt(s) == m
    ...

and in paramiko: transport.py

    def _get_cipher(self, name, key, iv):
        ...
            return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter=counter)
        ...

@patrys patrys mentioned this issue Dec 10, 2015
Closed
Legrandin added a commit that referenced this issue Feb 5, 2016
@Legrandin
Raise NotImplementedError for dangerous, old PyCrypto methods
525cba3 
Closes #6.
@lorc lorc mentioned this issue Aug 21, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Legrandin @rockwelln @mociepka