ecdsa.der.UnexpectedDER with my ECDSA key #559

Closed
KokaKiwi opened this Issue Jul 16, 2015 · 7 comments

Projects

None yet

5 participants

@KokaKiwi

Hi, I'm using Fabric and I noticed using the 1.15 version that my ECDSA key raise an exception when handled by paramiko:

Traceback (most recent call last):
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/main.py", line 743, in main
    *args, **kwargs
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/tasks.py", line 387, in execute
    multiprocessing
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/tasks.py", line 277, in _execute
    return task.run(*args, **kwargs)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/tasks.py", line 174, in run
    return self.wrapped(*args, **kwargs)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/decorators.py", line 53, in inner_decorator
    return func(*args, **kwargs)
  File ".../deploy/fabfile/__init__.py", line 32, in install
    cmd.packages_install('zsh', 'sudo', 'curl', 'git', 'openssl')
  File ".../deploy/fabfile/cmd.py", line 35, in packages_install
    cuisine.package_ensure(name)
  File ".../deploy/.venv/lib/python2.7/site-packages/cuisine.py", line 154, in wrapper
    return function(*args, **kwargs)
  File ".../deploy/.venv/lib/python2.7/site-packages/cuisine.py", line 204, in wrapper
    return specific(*args, **kwargs)
  File ".../deploy/.venv/lib/python2.7/site-packages/cuisine.py", line 1006, in package_ensure_apt
    status = run("dpkg-query -W -f='${Status} ' %s && echo OK;true" % p)
  File ".../deploy/.venv/lib/python2.7/site-packages/cuisine.py", line 433, in run
    return fabric.api.run(*args, **kwargs)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/network.py", line 649, in host_prompting_wrapper
    return func(*args, **kwargs)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/operations.py", line 1056, in run
    shell_escape=shell_escape)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/operations.py", line 923, in _run_command
    channel=default_channel(), command=wrapped_command, pty=pty,
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/state.py", line 397, in default_channel
    chan = _open_session()
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/state.py", line 389, in _open_session
    return connections[env.host_string].get_transport().open_session()
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/network.py", line 159, in __getitem__
    self.connect(key)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/network.py", line 151, in connect
    user, host, port, cache=self, seek_gateway=seek_gateway)
  File ".../deploy/.venv/lib/python2.7/site-packages/fabric/network.py", line 452, in connect
    sock=sock
  File ".../deploy/.venv/lib/python2.7/site-packages/paramiko/client.py", line 307, in connect
    look_for_keys, gss_auth, gss_kex, gss_deleg_creds, gss_host)
  File ".../deploy/.venv/lib/python2.7/site-packages/paramiko/client.py", line 497, in _auth
    key = pkey_class.from_private_key_file(filename, password)
  File ".../deploy/.venv/lib/python2.7/site-packages/paramiko/pkey.py", line 183, in from_private_key_file
    key = cls(filename=filename, password=password)
  File ".../deploy/.venv/lib/python2.7/site-packages/paramiko/ecdsakey.py", line 49, in __init__
    self._from_private_key_file(filename, password)
  File ".../deploy/.venv/lib/python2.7/site-packages/paramiko/ecdsakey.py", line 148, in _from_private_key_file
    self._decode_key(data)
  File ".../deploy/.venv/lib/python2.7/site-packages/paramiko/ecdsakey.py", line 158, in _decode_key
    s, padding = der.remove_sequence(data)
  File ".../deploy/.venv/lib/python2.7/site-packages/ecdsa/der.py", line 65, in remove_sequence
    raise UnexpectedDER("wanted sequence (0x30), got 0x%02x" % n)
ecdsa.der.UnexpectedDER: wanted sequence (0x30), got 0x2d

I don't have any idea why I have this as my key is working perfectly with my OpenSSH client.

@arittr
arittr commented Oct 12, 2015

any news on this? i have the exact same issue and it's very frustrating

@cebrusfs
Contributor

I got the same error with password-encrypted ecdsa key. But after I removed the password, it will not raise the exception. I think paramiko may not handle the encrypted ecdsa key.

@mikl
mikl commented Feb 29, 2016

Ditto here, only remedy was to make sure Paramiko does not try to load the ecdsa key.

@cebrusfs
Contributor
cebrusfs commented May 8, 2016

I traced this bug and it seems that it didn't handle the Exception of der in ecdsa key parsing phase. However, this bug is fixed in the latest version. I re-installed paramiko by pip and never see the error message.

PS: the paramiko version with bug in my machine is paramiko-1.16.0, but there is paramiko-2.0.0 on pip.

@cebrusfs
Contributor
cebrusfs commented May 9, 2016 edited

Sorry that I make some mistake. The issue is still there even the ecdsakey.py is refactored.
I've created a pull request to handle this case.

@bitprophet
Member
bitprophet commented May 12, 2016 edited

I'm wondering what the initial trigger for this was, since @cebrusfs' patch only fixes the post-2.0.0 use case. Perhaps folks getting this pre-2.0 are using specific subtypes of ECDSA keys we didn't support previously (e.g. #731 - though that notes the errors encountered w/ such keys were silent failures...but could still have been the usual "only the last error gets raised" behavior in play).

Going to close/roll into #742 in the hopes that the earlier instances have been addressed in recent updates - please comment if you can still recreate the original error here, with Paramiko 2.0.1 or above (once that's out with #742 in it).

@bitprophet bitprophet closed this May 12, 2016
@cebrusfs
Contributor
cebrusfs commented May 12, 2016 edited

In my use case, I use client.connect() with username and password to connect a server. paramiko will load all keys in .ssh/id_* and tried to use this password to decrypt them.
The password is not the password of my private key, so the key parser gets the garbage contents and then raises the error.

I believed that some people here met the same situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment