7

I have the following code:

ssh_key = paramiko.RSAKey.from_private_key_file(key_filename)

the key looks like this:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqdgmJ2AQlmvpCsDWjbpIvIrx4AwtKn2t10wmGZIN9pqcJgQpo3HD

and is valid:

 $ ssh-keygen -l -f <mykeyfile>
 $ 2048 SHA256:x8jlUAObU3q2KXRtuGpxwhnGvB/ZoeD2IUqSA1OkCmI thomas@Thomas-MBP-2017 (RSA)

but I get the the following error:

not a valid RSA private key file

This is on MacOS, Python 2.7, Paramiko 2.4.2

What am I doing wrong?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Thomas
  • 10,933
  • 14
  • 65
  • 136
  • Use the latest version of Paramiko, see [Paramiko: "not a valid RSA private key file"](https://stackoverflow.com/q/54612609/850848#60000004). – Martin Prikryl Nov 28 '22 at 15:10

1 Answers1

5

For OpenSSH 7.8 up, you have to trick it. Run ssh-keygen -p [-f file] -m pem to purportedly change passphrase, but reuse the old one. Use -P oldpw -N newpw if you want to avoid the prompts, as in a script, but be careful of making your passphrase visible to other users. As a side effect this rewrites the keyfile (if not ed25519) in 'old' (OpenSSL-compatible and thus paramiko-compatible) format. (If you want to keep the new-format file, copy first.)

For older versions of OpenSSH just do ssh-keygen -p [-f file] WITHOUT -o.

Also, if you have (or get) it, the puttygen utility in the PuTTY suite from 0.69 up supports this format. In the Unix version, just do puttygen newfmtfile -O private-openssh -o oldfmtfile (again excepting ed25519). In the Windows version AFAICT you must use the GUI; load the newfmtfile and do Conversions / Export OpenSSH key .

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70