Paramiko — using encrypted private key file on OS X

Question

I\'m trying to use Paramiko to connect to an SSH server from Python. This is what I tried so far:

>>> import paramiko
>>> import os
>>>         


        

Answer 1

Using encrypted private key in Paramiko is not possible, because ssh-agent doesn't give private key (without memory dump).

The solution would be to use subprocess and call ssh command from that (as any usual command). It didn't me ask for decryption of the private key (it uses ssh agent, you can find that using ssh -vvv).

BTW, I couldn't find benefits of using paramiko. SSH agent seems more developed and more general tool. For example, it's not possible to forward SSH agent in paramiko, one has to resort to subprocess for that. Also note this issue from 2014, "Key handling is terribad" (open):

SSHClient._auth uses a multi-exit strategy combined with storing a single exception to raise at the end of the process. This frequently means the raised exception at auth time is flat out incorrect as to the true cause of the inability to authenticate.

There are many paramiko bugs linked in this thread. It seems actively developed now, and I hope paramiko will fix that, but my advice is: don't rely on one single library, it may not fulfill your demands.

Yes, there is a possibility to provide password to the encrypted key, but that defeats the purpose of that. You either enter password yourself (then you don't need a key for ssh), or store the password on disk (of course not in version control), then you don't need the private key to be encrypted (the idea of that is that if someone gets your HDD, one doesn't get your private keys in plain text).

Answer 2

The RSAKey.from_private_key_file() is inherited from PKey(); an optional parameter of this method is a password. To quote:

If the private key is encrypted and password is not None, the given password will be used to decrypt the key (otherwise PasswordRequiredException is thrown).

As you're not passing a password and your key is encrypted this exception will always be thrown. There's only one way round this problem, to actually give the method a password. You, therefore, need a way of getting the password out of the OSXKeychain.

You could use the cross-platform Keyring module to do this.

Answer 3

The following approach seems to work fine (on OS X, with the usual setup of encrypted private keys that have passphrases stored in the keychain, without any user interaction):

import paramiko

ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.connect(HOST, username=USER, look_for_keys=False)
...
ssh.close()

It seems that look_for_keys=False is not absolutely necessary. However, if you use it you will get much better error messages in the case of an authentication failure ("AuthenticationException" instead of "PasswordRequiredException").

---

If you really want to use private keys directly, you could do the following:

import os
import paramiko
import keyring

keyfile = os.path.expanduser('~/.ssh/id_rsa')
password = keyring.get_password('SSH', keyfile)
key = paramiko.RSAKey.from_private_key_file(keyfile, password=password)

However, based on my testing, this is not needed. The above solution that uses ssh.connect in a straightforward manner should be sufficient.