Skip to content
Go to file


Paramiko:Python SSH module
Copyright:Copyright (c) 2009 Robey Pointer <>
Copyright:Copyright (c) 2020 Jeff Forcier <>
API docs:


"Paramiko" is a combination of the Esperanto words for "paranoid" and "friend". It's a module for Python 2.7/3.4+ that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Unlike SSL (aka TLS), SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced Telnet and rsh for secure access to remote shells, but the protocol also includes the ability to open arbitrary channels to remote services across the encrypted tunnel (this is how SFTP works, for example).

It is written entirely in Python (though it depends on third-party C wrappers for low level crypto; these are often available precompiled) and is released under the GNU Lesser General Public License (LGPL).

The package and its API is fairly well documented in the docs folder that should have come with this repository.


For most users, the recommended method to install is via pip:

pip install paramiko

For more detailed instructions, see the Installing page on the main Paramiko website.

Portability Issues

Paramiko primarily supports POSIX platforms with standard OpenSSH implementations, and is most frequently tested on Linux and OS X. Windows is supported as well, though it may not be as straightforward.

Bugs & Support

Bug Reports:Github
Mailing (see the LibreList website for usage details).
IRC:#paramiko on Freenode

Kerberos Support

Paramiko ships with optional Kerberos/GSSAPI support; for info on the extra dependencies for this, see the GSS-API section on the main Paramiko website.


Several demo scripts come with Paramiko to demonstrate how to use it. Probably the simplest demo is this:

import base64
import paramiko
key = paramiko.RSAKey(data=base64.b64decode(b'AAA...'))
client = paramiko.SSHClient()
client.get_host_keys().add('', 'ssh-rsa', key)
client.connect('', username='strongbad', password='thecheat')
stdin, stdout, stderr = client.exec_command('ls')
for line in stdout:
    print('... ' + line.strip('\n'))

This prints out the results of executing ls on a remote server. The host key b'AAA...' should of course be replaced by the actual base64 encoding of the host key. If you skip host key verification, the connection is not secure!

The following example scripts (in demos/) get progressively more detailed: invoke_shell() and emulates a terminal/TTY through which you can execute commands interactively on a remote server. Think of it as a poor man's SSH command-line client. as, but allows you to authenticate using a private key, attempts to use an SSH agent if present, and uses the long form of some of the API calls. script to set up port-forwarding across an SSH transport. an SFTP session and does a few simple file operations. SSH server that listens on port 2200 and accepts a login for 'robey' (password 'foo'), and pretends to be a BBS. Meant to be a very simple demo of writing an SSH server. key generator similar to OpenSSH ssh-keygen(1) program with Paramiko keys generation and progress functions.


The demo scripts are probably the best example of how to use this package. Also a lot of documentation is generated by Sphinx autodoc, in the doc/ folder.

There are also unit tests here:

$ pip install -r dev-requirements.txt
$ pytest

Which will verify that most of the core components are working correctly.

To test Kerberos/GSSAPI, you need a Kerberos environment. On UNIX you can use the package k5test to setup a Kerberos environment on the fly:

$ pip install -r dev-requirements.txt
$ pip install k5test gssapi pyasn1
$ pytest
You can’t perform that action at this time.