SSH key generated by ssh-keygen is not recognized by Paramiko: “not a valid RSA private key file”

Posted on

Question :

SSH key generated by ssh-keygen is not recognized by Paramiko: “not a valid RSA private key file”

I have the following code:

ssh_key = paramiko.RSAKey.from_private_key_file(key_filename)

the key looks like this:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqdgmJ2AQlmvpCsDWjbpIvIrx4AwtKn2t10wmGZIN9pqcJgQpo3HD

and is valid:

 $ ssh-keygen -l -f <mykeyfile>
 $ 2048 SHA256:x8jlUAObU3q2KXRtuGpxwhnGvB/ZoeD2IUqSA1OkCmI thomas@Thomas-MBP-2017 (RSA)

but I get the the following error:

not a valid RSA private key file

This is on MacOS, Python 2.7, Paramiko 2.4.2

What am I doing wrong?

Asked By: Thomas

||

Answer #1:

For OpenSSH 7.8 up, you have to trick it. Run ssh-keygen -p [-f file] -m pem to purportedly change passphrase, but reuse the old one. Use -P oldpw -N newpw if you want to avoid the prompts, as in a script, but be careful of making your passphrase visible to other users. As a side effect this rewrites the keyfile (if not ed25519) in ‘old’ (OpenSSL-compatible and thus paramiko-compatible) format. (If you want to keep the new-format file, copy first.)

For older versions of OpenSSH just do ssh-keygen -p [-f file] WITHOUT -o.

Also, if you have (or get) it, the puttygen utility in the PuTTY suite from 0.69 up supports this format. In the Unix version, just do puttygen newfmtfile -O private-openssh -o oldfmtfile (again excepting ed25519). In the Windows version AFAICT you must use the GUI; load the newfmtfile and do Conversions / Export OpenSSH key .

Answered By: dave_thompson_085

Leave a Reply

Your email address will not be published.