Search code examples
pythonsshftpsftpparamiko

Paramiko RSAKey "private key file is encrypted"


I'm trying to use Paramiko to connect to an SFTP site.

"paramiko": {
            "hashes": [
                "sha256:6bef55b882c9d130f8015b9a26f4bd93f710e90fe7478b9dcc810304e79b3cd8",
                "sha256:fedc9b1dd43bc1d45f67f1ceca10bc336605427a46dcdf8dec6bfea3edf57965"
            ],
            "index": "pypi",
            "version": "==3.0.0"
        },

I have a .pem file in the form

-----BEGIN OPENSSH PRIVATE KEY-----
data for the key
-----END OPENSSH PRIVATE KEY-----

Worth mentioning that the key is encrypted with a passphrase.

I attempt to load the key file, providing the password and that works fine

# Works great :)
mykey = paramiko.RSAKey.from_private_key_file(key_file_path, password=password)
self.ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# this explodes
self.ssh_client.connect(hostname=settings.ftp_host, username=username, pkey=mykey, port=22)
self.ftp = self.ssh_client.open_sftp()

paramiko.ssh_exception.PasswordRequiredException: private key file is encrypted

If I change the connect to

self.ssh_client.connect(hostname=settings.ftp_host, username=username, pkey=mykey, port=22, passphrase=password)

paramiko.ssh_exception.SSHException: OpenSSH private key file checkints do not match

And if I try to use key_filename instead of pkey

self.ssh_client.connect(hostname=settings.ftp_host, username=username, key_filename=key_file_path, port=22, passphrase=password)

ValueError: q must be exactly 160, 224, or 256 bits long

I am able to successfully connect to the SFTP with this key using FileZilla I'm just not sure what I'm doing wrong in Paramiko.


Solution

  • Figured this out today.

    I setup Paramiko's logging and saw that it was defaulting to try to use 'rsa-sha2-512'

    2023-02-16 10:01:46 - DEBUG - transport.py:1871 - paramiko.transport -                 _log() - Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
    2023-02-16 10:01:46 - DEBUG - transport.py:1871 - paramiko.transport -                 _log() - Server did not send a server-sig-algs list; defaulting to our first preferred algo ('rsa-sha2-512')
    

    Disabling 'rsa-sha2-512' and 'rsa-sha2-256' so Paramiko was forced to use 'ssh-rsa' fixes the issue.

    self.ssh_client.connect(hostname=settings.ftp_host, username=username, pkey=mykey, disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]))