Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Paramiko: "not a valid RSA private key file"

I am trying connect to server using following spinet

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ip = ['x.x.x.x']
key_file = "/Users/user/.ssh/id_rsa"

key = paramiko.RSAKey.from_private_key_file(key_file)
ssh.load_system_host_keys()
ssh.connect(ips, port=22, username='XYZ', pkey=key, timeout=11)

But I am getting an error:

not a valid RSA private key file

like image 597
Owais Ahmad Avatar asked Feb 10 '19 01:02

Owais Ahmad


3 Answers

I faced a similar situation and ssh-keygen comes to my help. You should make a copy of id_rsa and convert it to RSA type with ssh-keygen.

To Convert "BEGIN OPENSSH PRIVATE KEY" to "BEGIN RSA PRIVATE KEY"

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
like image 194
ahirapara Avatar answered Nov 06 '22 21:11

ahirapara


Recent versions of OpenSSH (7.8 and newer) generate keys in new OpenSSH format by default, which starts with:

-----BEGIN OPENSSH PRIVATE KEY-----

That format is fully supported by the Paramiko since version 2.7.1 (2019-12-09) only.


If you are stuck with an older version of Paramiko, you can use ssh-keygen to convert the key to the classic OpenSSH format:

ssh-keygen -p -f file -m pem -P passphrase -N passphrase

(if the key is not encrypted with a passphrase, use "" instead of passphrase)

For Windows users: Note that ssh-keygen.exe is now built-in in Windows 10. And can be downloaded from Microsoft Win32-OpenSSH project for older versions of Windows.


On Windows, you can also use PuTTYgen (from PuTTY package):

  • Start PuTTYgen
  • Load the key
  • Go to Conversions > Export OpenSSH key.
    For RSA keys, it will use the classic format.

If you are creating a new key with ssh-keygen, just add -m PEM to generate the new key in the classic format:

ssh-keygen -m PEM

Note that you can get the error, also when you are trying to use a completely different key format, like ssh.com or PuTTY .ppk. Then you will have to convert the key in any case.

  • For ssh.com format, see Paramiko: "not a valid DSA private key file".
  • For PuTTY .ppk format, use PuTTYgen as shown above.
like image 18
Martin Prikryl Avatar answered Nov 06 '22 19:11

Martin Prikryl


The paramiko.RSAKey.from_private_key_file method requires the private key file to be in "PEM" format. Examine the file you're trying to read and see if it begins with a line that says:

-----BEGIN RSA PRIVATE KEY-----

If it doesn't have that line then it's not PEM.

If it's not PEM then you'll have to find some way to create a PEM version of the private key. (EDIT: the original poster used PuTTY's puttygen utility to export the private key into a PEM-format file.)

Make sure that the new file has the same ownership and limited access permissions that the original id_rsa file has, so that nobody can steal the key by reading the file. Then, obviously, modify your paramiko call to read the key from the new PEM-format file.

like image 4
ottomeister Avatar answered Nov 06 '22 19:11

ottomeister