Search code examples
python-3.xsshparamikoscp

NotImplementedError: ECDSA certificates with unnamed curves are unsupported at this time

Code snippet:

from paramiko import SSHClient, AutoAddPolicy
from scp import SCPClient

ssh = SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(AutoAddPolicy())
ssh.connect(target_ip_addr, 22, username, password)
scp = SCPClient(ssh.get_transport())
scp.get(src_filepath, dest_dir)

Failure:

43 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/client.py:437: in connect
44 20200715 222952 [.] [ERROR] *     passphrase,
45 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/client.py:720: in _auth
46 20200715 222952 [.] [ERROR] *     filename, pkey_class, passphrase
47 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/client.py:571: in _key_from_filepath
48 20200715 222952 [.] [ERROR] *     key = klass.from_private_key_file(key_path, password)
49 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/pkey.py:206: in from_private_key_file
50 20200715 222952 [.] [ERROR] *     key = cls(filename=filename, password=password)
51 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/ecdsakey.py:126: in __init__
52 20200715 222952 [.] [ERROR] *     self._from_private_key_file(filename, password)
53 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/ecdsakey.py:279: in _from_private_key_file
54 20200715 222952 [.] [ERROR] *     self._decode_key(data)
55 20200715 222952 [.] [ERROR] * /usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/paramiko-2.4.2-py3.7.egg/paramiko/ecdsakey.py:288: in _decode_key
56 20200715 222952 [.] [ERROR] *     data, password=None, backend=default_backend()
57 20200715 222952 [.] [ERROR] * usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/cryptography-2.3.1-py3.7-linux-x86_64.egg/cryptography/hazmat/primitives/serialization.py:32: in load_der_private_key
58 20200715 222952 [.] [ERROR] *     return backend.load_der_private_key(data, password)
59 20200715 222952 [.] [ERROR] * usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/cryptography-2.3.1-py3.7-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py:1061: in load_der_private_key
60 20200715 222952 [.] [ERROR] *     return self._evp_pkey_to_private_key(key)
61 20200715 222952 [.] [ERROR] * usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/cryptography-2.3.1-py3.7-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py:488: in _evp_pkey_to_private_key
62 20200715 222952 [.] [ERROR] *     return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
63 20200715 222952 [.] [ERROR] * usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/cryptography-2.3.1-py3.7-linux-x86_64.egg/cryptography/hazmat/backends/openssl/ec.py:134: in __init__
64 20200715 222952 [.] [ERROR] *     sn = _ec_key_curve_sn(backend, ec_key_cdata)
65 20200715 222952 [.] [ERROR] * _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
66 20200715 222952 [.] [ERROR] * 
67 20200715 222952 [.] [ERROR] * backend = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7fbe4feb0400>
68 20200715 222952 [.] [ERROR] * ec_key = <cdata 'EC_KEY *' 0x1d64c40>
69 20200715 222952 [.] [ERROR] * 
70 20200715 222952 [.] [ERROR] *     def _ec_key_curve_sn(backend, ec_key):
71 20200715 222952 [.] [ERROR] *         group = backend._lib.EC_KEY_get0_group(ec_key)
72 20200715 222952 [.] [ERROR] *         backend.openssl_assert(group != backend._ffi.NULL)
73 20200715 222952 [.] [ERROR] *     
74 20200715 222952 [.] [ERROR] *         nid = backend._lib.EC_GROUP_get_curve_name(group)
75 20200715 222952 [.] [ERROR] *         # The following check is to find EC keys with unnamed curves and raise
76 20200715 222952 [.] [ERROR] *         # an error for now.
77 20200715 222952 [.] [ERROR] *         if nid == backend._lib.NID_undef:
78 20200715 222952 [.] [ERROR] *             raise NotImplementedError(
79 20200715 222952 [.] [ERROR] * >               "ECDSA certificates with unnamed curves are unsupported "
80 20200715 222952 [.] [ERROR] *                 "at this time"
81 20200715 222952 [.] [ERROR] *             )
82 20200715 222952 [.] [ERROR] * E           NotImplementedError: ECDSA certificates with unnamed curves are unsupported at this time
83 20200715 222952 [.] [ERROR] * 
84 20200715 222952 [.] [ERROR] * usr/software/pkgs/Python-3.7.1/lib/python3.7/site-packages/cryptography-2.3.1-py3.7-linux-x86_64.egg/cryptography/hazmat/backends/openssl/ec.py:37: NotImplementedError

Not sure how to fix this error. Any suggestion?

Solution

  • The cryptography library (which paramiko relies on) does not support unnamed EC curves (aka curves with explicit parameters). It looks like there exists an EC key in this code path that causes this exception. If you control this you should generate new keys that use named curves (unnamed curves are unwise in general).