Paramiko — using encrypted private key file on OS X

Question

I\'m trying to use Paramiko to connect to an SSH server from Python. This is what I tried so far:

>>> import paramiko
>>> import os
>>>         


        

Answer 1

Using encrypted private key in Paramiko is not possible, because ssh-agent doesn't give private key (without memory dump).

The solution would be to use subprocess and call ssh command from that (as any usual command). It didn't me ask for decryption of the private key (it uses ssh agent, you can find that using ssh -vvv).

BTW, I couldn't find benefits of using paramiko. SSH agent seems more developed and more general tool. For example, it's not possible to forward SSH agent in paramiko, one has to resort to subprocess for that. Also note this issue from 2014, "Key handling is terribad" (open):

SSHClient._auth uses a multi-exit strategy combined with storing a single exception to raise at the end of the process. This frequently means the raised exception at auth time is flat out incorrect as to the true cause of the inability to authenticate.

There are many paramiko bugs linked in this thread. It seems actively developed now, and I hope paramiko will fix that, but my advice is: don't rely on one single library, it may not fulfill your demands.

Yes, there is a possibility to provide password to the encrypted key, but that defeats the purpose of that. You either enter password yourself (then you don't need a key for ssh), or store the password on disk (of course not in version control), then you don't need the private key to be encrypted (the idea of that is that if someone gets your HDD, one doesn't get your private keys in plain text).