Context Navigation

← Previous Ticket
Next Ticket →

#2307 closed defect (upstream)

paramiko does not support the new openssh key format

Reported by:	Antoine Martin	Owned by:	Antoine Martin
Priority:	critical	Milestone:	3.0
Component:	network	Version:	2.5.x
Keywords:		Cc:

Description

It reports:

$ python -c "from paramiko import RSAKey;RSAKey.from_private_key_file('./test.rsa')"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/paramiko/pkey.py", line 206, in from_private_key_file
    key = cls(filename=filename, password=password)
  File "/usr/lib/python2.7/site-packages/paramiko/rsakey.py", line 55, in __init__
    self._from_private_key_file(filename, password)
  File "/usr/lib/python2.7/site-packages/paramiko/rsakey.py", line 175, in _from_private_key_file
    data = self._read_private_key_file("RSA", filename, password)
  File "/usr/lib/python2.7/site-packages/paramiko/pkey.py", line 279, in _read_private_key_file
    data = self._read_private_key(tag, f, password)
  File "/usr/lib/python2.7/site-packages/paramiko/pkey.py", line 289, in _read_private_key
    raise SSHException("not a valid " + tag + " private key file")
paramiko.ssh_exception.SSHException: not a valid RSA private key file

With a key file generated using a recent ssh-keygen, the file looks like this:

-----BEGIN OPENSSH PRIVATE KEY-----
(key data)
-----END OPENSSH PRIVATE KEY-----

Instead of the older pem format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,48F3BB90CF126AB9

(key data)
-----END RSA PRIVATE KEY-----

And so the connection fails with the message: not a valid RSA private key file.
r22779 improves things and will continue and try other keyfiles, password auth, etc but this doesn't help loading this new key format.

Change History (3)

comment:1 Changed 12 months ago by Antoine Martin

Status:	new → assigned
Summary:	paramiko does not support openssh's new key format → paramiko does not support the new openssh key format

We need paramiko to add support for loading this new type of keyfile: Support for the new OpenSSH format and add support for new OpenSSH private key format. (no working implementation in those tickets at time of writing)
See SSH key generated by ssh-keygen is not recognized by Paramiko.

Pointers:

From OpenSSH 7.8 the default format RSA key pair has changed
How-to : Convert OpenSSH private keys to RSA PEM
OpenSSH vs OpenSSL Key Formats: OpenSSH has now added it's own "proprietary" key format
Convert OpenSSH private key into SSH2 private key

Related code updates:

r22783 will print a warning when we find a key using the unsupported "new openssh format"
r22784 tries to support more private key formats

comment:2 Changed 10 months ago by Antoine Martin

Resolution:	→ upstream
Status:	assigned → closed

Looks like there is a more active fork: paramiko-ng and they have support for those keys: https://github.com/ploxiln/paramiko-ng/pull/13.
AFAICT, the key loading code remains the same, so no code changes are required in xpra.

Since this bug is mostly relevant to Posix builds, there's not much we can do here: just hope that the distros switch to the ng fork, or that upstream merges the patch.

comment:3 Changed 4 months ago by Antoine Martin

Code has been merged upstream in paramiko 2.7: https://github.com/paramiko/paramiko/pull/1343#issuecomment-561380014

Note: See TracTickets for help on using tickets.

Download in other formats: