Support for PKCS#8 pkey format #1015
Comments
|
Thanks for the report, and greatly appreciate you taking #387 into consideration! Part of me says that it might be plausible to add this particular wrinkle without substantially affecting the rest of the problem, but another part notes that it'd still be best to wait since it involves changing the body of Does make me wonder if we could/should be relying more on other libraries for these commonly used formats; for example, our crypto backend knows how to write PKCS8 style RSA (etc) keys, as per here. It looks like it cannot read them yet but I wonder if @alex / @reaperhulk and co would be open to adding the functionality on that level. At the moment we seem to split this region of functionality across the two libs - eg Cryptography on its own can load basic RSA/DSA/EC key files, so presumably we could leverage more of that than we are; but Cryptography can't do ED25519 - even though Alex added it to Paramiko recently, using lower level Crypto primitives. |
|
I think clearing out all the PEM handling code in
|
|
just commenting on this so i can find it again so i can track when i can gen ed25519 keys with paramiko. |
|
I recently tried to install Fabric on my Mac and ran into the exact issue posted in #1363. The (valid) private key had a first line containing Do you know of any workaround for this? I don't quite know how to use the workaround that @kuzeyron posted to #1363, since I need both public and private keys. Thanks! |
|
Hello have same issue after updateing my fedora, I used the workaround here (involves new keys :-( ) net-ssh/net-ssh#638 (comment) ssh-keygen -m PEM -t rsa |
Looks like new versions of openssh generate keys differently for RSA it have changes the delimiters of the private key with OPENSSH instead of RSA paramiko fails with this [1], and the solutions is here [2] Solution: regenerate key with ssh-keygen -m PEM -t rsa [1] paramiko/paramiko#1015 [2] net-ssh/net-ssh#638 (comment) Change-Id: I3f313974e9cfe1c554ec4bd44f66414420adf156
This doesn't seem to work still. Using Fabric |
|
Unless I'm missing something there's no open PRs for this, but I am putting it in the p1 milestone for now hoping I'm wrong or somebody (or me!) has time to write one. The notes above by Alex give me hope that it should not be a lot of work or require scary new deps. |
Later update to the latest OpenSSH version after generating the key. OpenSSH 8.0 generates PEM keys in PKCS8 PEM format, which Paramiko does not recognize. Further information: https://bugzilla.redhat.com/show_bug.cgi?id=1722285 paramiko/paramiko#1015 ## To make a commit, type your commit message and press SUPER-ENTER. To cancel ## the commit, close the window. To sign off on the commit, press SUPER-S. ## ## You may also reference or close a GitHub issue with this commit. To do so, ## type `#` followed by the `tab` key. You will be shown a list of issues ## related to the current repo. You may also type `owner/repo#` plus the `tab` ## key to reference an issue in a different GitHub repo. fedora30-test-container/Dockerfile | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
Later update to the latest OpenSSH version after generating the key. OpenSSH 8.0 generates PEM keys in PKCS8 PEM format, which Paramiko does not recognize. Further information: https://bugzilla.redhat.com/show_bug.cgi?id=1722285 paramiko/paramiko#1015
|
I'm actually wondering how valid this is at this point:
I'm going to take this off the table for Paramiko 2.7; if the originator can provide some details about where they're getting these PKCS#8 style keys and what SSHD(s) they're using them with, I'd be happy to include it in a later release. Thanks! |
|
So there is no work around? Even the keygen side of things. e.g. use a different tool that produces the correct SSH key headers? |
|
I'd guess you can use I was just unable to give that a test on my end as I don't have one of these less-common keys around, couldn't just make one w/ ssh-keygen itself, and didn't have time to really dig into how to create them (looks like maybe one would use openssl?). Further, without a solid idea of how users arrive at this kind of key (is it actually some semi common tool/workflow and I've just never run into it? or is it actually pretty rare and folks just have unusual requirements in their org? etc), it's hard to judge whether internal Paramiko support for them is worth development effort or if the best solution is to add an FAQ entry with that ssh-keygen command. Open to input here! |
|
I tried the following with a private ppk file: puttygen convert to "Open SSH key" file. Is there anyway to get a valid RSA file for paramiko from a ppk private file? I tried everything I could find. |
|
@WurstCommander You need to convert it from the ppk format first before you can use ssh-keygen transformations on it (though you shouldn't need to after using puttygen). You can do this on linux by installing the linux build of puttygen (most distros have it in a package named "putty-tools" or just "putty"): |
|
Note that the above will generate a key with the new format, " If you used |
|
This may not be relevant to all, but, I managed to work around my problem, and now my application works as intended. I was using Fabric to perform a command on a remote server, using an OpenSSH private/public key pair. c = Connection(
host="server_ip",
user="username",
connect_kwargs={
"key_filename": "/path/to/private_key"
})
result = c.run('uname -s', hide=True)
print(result)This gave the error: To get my application to work, instead of using Fabric, I decided to use Paramiko directly and it worked the first time. k = paramiko.RSAKey.from_private_key_file("/path/to/private_key")
# Create an SSH client
c = paramiko.SSHClient()
# Add the key policy to the client
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
app.logger.info("Connecting to server")
# Create the connection to the hostname, using the username, with the private key defined before
c.connect(hostname = "hostname", username = "username", pkey = k)
app.logger.info("Connected")
app.logger.info("Executing {}".format(inp_cmd))
# Assing the result variables from executing the command
c_stdin, c_stdout, c_stderr = c.exec_command(inp_cmd)
# Assign the comand output to result.
result = c_stdout.read()
# Log the result
app.logger.info(result)
# Log errors
app.logger.info("Errors")
app.logger.info(c_stderr.read())
# Close connection
c.close()So in summary; Using Fabric did not work. Using Paramiko did! |
Thanks for your help, I did the stuff you mentioned. I got now a key with
as the first line of the keyfile and still it get: |
|
@WurstCommander what does |
|
@johnnybubonic 2.7.1 FYI: Python 3.7.1 (v3.7.1:260ec2c36a, Oct 20 2018, 14:05:16) Which seems to be the newest version: |
|
@WurstCommander that key fails this check in if 0x20 <= padding_length < 0x7f:
return data # no padding, last byte part comment (printable ascii)
if padding_length > 15:
raise SSHException("Invalid key")Does your key have 16 bytes of padding? (Does changing 15 to 16 make it work?) Or does your key have an embedded comment which ends with a non-ascii non-printable character? (newline char? utf8 for some accented character?) |
|
@ploxiln This is the pagent info of the original key (which I converted like johnnybubonic said above) Thank you for your help |
|
As of OpenSSL v3.0, |
OpenSSL 3.0 changed the default output format from PKCS#1 to PKCS#8, which paramiko does not support. https://www.openssl.org/docs/man3.0/man1/openssl-rsa.html#traditional paramiko/paramiko#1015
OpenSSL 3.0 changed the default output format from PKCS#1 to PKCS#8, which paramiko does not support. https://www.openssl.org/docs/man3.0/man1/openssl-rsa.html#traditional paramiko/paramiko#1015
Related to #387
For RSA private keys, apparently the rsa pkey header
-----BEGIN RSA PRIVATE KEY-----is not always used. The header-----BEGIN PRIVATE KEY-----(sansRSA) is used in some formats, like PKCS#8. sourceThe current implementation of paramiko pkey parses the private key file, looking for the following header:
beginning_of_key = '-----BEGIN ' + tag + ' PRIVATE KEY-----'If it doesn't find it, it raises an
SSHException('not a valid ' + tag + ' private key file').Thus the consideration to have when refactoring pkey loading is to support the PKCS#8 format :)
I'd be happy to do a PR but like it has been said in 387, "most of the existing PRs poking at it are too limited in scope; this sort of change has a high chance for bugs and breaking backwards compatibility (intentionally or no) and I feel it needs a broadly considered update."
The text was updated successfully, but these errors were encountered: