Unable to establish connection for SSH keys generated with passphrase

[ftall]

I have generated private RSA key. For this configuration AsyncSSH can not establish connection for the client code:

    with (yield from asyncssh.connect('localhost', username='user', password='####')) as conn:
        stdin, stdout, stderr = yield from conn.open_session('bc')

as result I got an error:

asyncssh.public_key.KeyImportError: Passphrase must be specified to import encrypted private keys

Environment:
OS: Fedora 22 x86_64
Python 3.4.2 (default, Jul 9 2015, 17:24:30)
AsyncSSH 1.3.0

I have tried to resolve this issue by passing the passphrase as an argument for connection (96a9f5c) which works fine to me, at least as workaround.

[ronf]

Yeah - there's no support yet for loading default key files or key files you specify as strings/bytes which are encrypted. Right now, if you want to load encrypted private keys, you need to load them explicitly by calling functions like import_private_key() or read_private_key() with a passphrase and then pass the loaded keys via the client_keys argument to create_connection()/connect() or the server_host_keys argument to create_server()/listen(). This is the only way to support loading multiple keys if more than one passphrase is needed.

That said, I can see some value in allowing a passphrase to be passed in to decrypt any encrypted keys which were being loaded in the case where all of them were encrypted with the same passphrase. I'll take a closer look at what you did here. Thanks!

[ronf]

Ok - I've checked in support for this in the develop branch, for both client keys and server host keys. If you get a chance, please give it a try and let me know if it's working for you.

[ftall]

Thanks for your answer. Proposed solution is working well for me.

[fraxinas]

Please excuse me resurrecting this long dead thread, however I inexplicably get the exact same error message as previously reported by @ftall ftall on one of my machines. i'm working with this most basic 'hello world' type example:

import asyncio, asyncssh, sys

async def run_client():
    async with asyncssh.connect('localhost', username='fraxinas', password='xxxxx') as conn:
        result = await conn.run('echo "Hello!"', check=True)
        print(result.stdout, end='')

try:
    asyncio.get_event_loop().run_until_complete(run_client())
except (OSError, asyncssh.Error) as exc:
    sys.exit('SSH connection failed: ' + str(exc))

and it throws:

asyncssh.public_key.KeyImportError: Passphrase must be specified to import encrypted private keys

even though i explicitely use username/passwort login instead of private key auth.

this happens on my Antergos machine with asyncssh 1.10.0, Python 3.6.1, openssl 1.1.0.e-1.
On another machine running Arch Linux with all the same versions, the code runs smoothly. Also when connecting to the Antergos machine instead of localhost. Vice versa, the Antergos machine can't connect to the Arch system either: always the same KeyImportError. I added a new user without ssh setup,
this leads to

SSH connection failed: [Errno 2] No such file or directory: '/home/sftptest/.ssh/known_hosts'

and with that file touched empty, to

SSH connection failed: Disconnect Error: No trusted server host keys available

so no luck with that either.

[ronf]

Hello,

If you have keys in your .ssh directory, they will be used by default, and if they are protected by a passphrase and you don't provide one, I'm guessing you'll get the error you are seeing here. I could probably make it so that it will ignore any encrypted keys it finds if you don't specify a client_keys or passphrase value explicitly, but for now I'd suggest setting client_keys=None explicitly if you don't want to attempt public key authentication using the default keys.

Regarding known_hosts, AsyncSSH requires that the host you are contacting already have an entry in the .ssh/known_hosts file by default. If you don't want to do known hosts checking, you must pass in known_hosts=None explicitly to disable that, but be warned that this leaves you open to man-in-the-middle attacks.

If you pass in known_hosts=None (or point it at some other file), you shouldn't need to manually touch .ssh/known_hosts. An empty file there isn't very useful, as you'll just end up getting the "No trusted server hosts keys available" message when it searches for a trusted host key and finds that there aren't any listed.

[fraxinas]

thanks for your prompt response, ronf!
explicitely adding client_keys=None to the parameter list works perfectly, sorry i missed that.

[ronf]

No worries - I appreciate your report.

When I looked more closely at this, I found that I wasn't supporting the 'passphrase' argument in create_connection() when loading default keys. So, I fixed that and while there also decided to ignore encrypted keys which are in the default key locations if you don't specify either client_keys or passphrase. So, the error you saw should no longer happen in the latest code. This is checked into the develop branch now in commit 69f1524, and will become part of the next release.