Menu
I have the following code:
ssh_key = paramiko.RSAKey.from_private_key_file(key_filename)
the key looks like this:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqdgmJ2AQlmvpCsDWjbpIvIrx4AwtKn2t10wmGZIN9pqcJgQpo3HD
and is valid:
$ ssh-keygen -l -f <mykeyfile>
$ 2048 SHA256:x8jlUAObU3q2KXRtuGpxwhnGvB/ZoeD2IUqSA1OkCmI thomas@Thomas-MBP-2017 (RSA)
but I get the the following error:
not a valid RSA private key file
This is on MacOS, Python 2.7, Paramiko 2.4.2
What am I doing wrong?
551
So, the OpenSSH private key format ultimately contains a private key encrypted with a non-standard version of PBKDF2 that uses bcrypt as its core hash function. The structure that contains the key is not ASN. 1, even though it's base64 encoded and wrapped between header and footer that are similar to the PEM ones.
For OpenSSH 7.8 up, you have to trick it. Run ssh-keygen -p [-f file] -m pem to purportedly change passphrase, but reuse the old one. Use -P oldpw -N newpw if you want to avoid the prompts, as in a script, but be careful of making your passphrase visible to other users. As a side effect this rewrites the keyfile (if not ed25519) in 'old' (OpenSSL-compatible and thus paramiko-compatible) format. (If you want to keep the new-format file, copy first.)
For older versions of OpenSSH just do ssh-keygen -p [-f file] WITHOUT -o.
Also, if you have (or get) it, the puttygen utility in the PuTTY suite from 0.69 up supports this format. In the Unix version, just do puttygen newfmtfile -O private-openssh -o oldfmtfile (again excepting ed25519). In the Windows version AFAICT you must use the GUI; load the newfmtfile and do Conversions / Export OpenSSH key .
81
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
