I'm using signed ssh keys to authenticate to a host. This has worked flawlessly up until Paramiko 2.8.1, but with 2.9.0 and 2.9.1 it fails.
ssh-keygen -Lf ~/.ssh/robot-test-cert.pub
/home/forsberg/.ssh/robot-test-cert.pub:
Type: [email protected] user certificate
Public key: RSA-CERT SHA256:JtAqrYvjJBLxkXDeSkXEuGyTR9uykjzaqlGIExjFi/g
Signing CA: RSA SHA256:E5U81luuNJQIojmQVtDNfnKa4s89Q1gMTOIDqhk1jJE (using ssh-rsa)
Key ID: "erik.forsberg"
Serial: 1
Valid: from 2022-01-02T09:36:22 to 2022-01-10T09:36:22
Principals:
root
ssh_gate
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
python ssh_via_paramiko hostname.example.com
DEBUG:paramiko.transport:starting thread (client mode): 0xb8e398b0
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.8.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_8.2
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_8.2)
DEBUG:paramiko.transport:kex algos:['curve25519-sha256', '[email protected]', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256'] server key:['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa'] client encrypt:['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'] server encrypt:['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'] client mac:['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none'] server compress:['none'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: [email protected]
DEBUG:paramiko.transport:HostKey agreed: ssh-rsa
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for hostname.example.com: b'4a16f769992de3607928b51c5d1decee'
DEBUG:paramiko.transport:Trying discovered key b'87a2c32a46a2be4f644fb8cc69f47707' in /home/forsberg/.ssh/robot-test
DEBUG:paramiko.transport:Adding public certificate /home/forsberg/.ssh/robot-test-cert.pub
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) successful!
python ssh_via_paramiko hostname.example.com
DEBUG:paramiko.transport:starting thread (client mode): 0x1fbd4c10
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.9.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_8.2
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_8.2)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: curve25519-sha256, [email protected], ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256
DEBUG:paramiko.transport:server key: rsa-sha2-512, rsa-sha2-256, ssh-rsa
DEBUG:paramiko.transport:client encrypt: [email protected], aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected]
DEBUG:paramiko.transport:server encrypt: [email protected], aes128-ctr, aes192-ctr, aes256-ctr, [email protected], [email protected]
DEBUG:paramiko.transport:client mac: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:server mac: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:client compress: none
DEBUG:paramiko.transport:server compress: none
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: [email protected]
DEBUG:paramiko.transport:HostKey: rsa-sha2-512
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]'}
DEBUG:paramiko.transport:Adding ssh-rsa host key for hostname.example.com: b'4a16f769992de3607928b51c5d1decee'
DEBUG:paramiko.transport:Trying discovered key b'87a2c32a46a2be4f644fb8cc69f47707' in /home/forsberg/.ssh/robot-test
DEBUG:paramiko.transport:Adding public certificate /home/forsberg/.ssh/robot-test-cert.pub
DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type '[email protected]'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['ssh-ed25519', '[email protected]', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', '[email protected]']
DEBUG:paramiko.transport:Agreed upon 'rsa-sha2-512' pubkey algorithm
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying discovered key b'd491164ce81ead130e0bc2843ca59ad4' in /home/forsberg/.ssh/robot-test
Traceback (most recent call last):
File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/home/forsberg/ferro/ferroamp-os-continuous-deploy/ehub-target-tests/src/ehub_target_tests/ssh_via_paramiko.py", line 21, in <module>
try_connect("hostname.example.com")
File "/home/forsberg/ferro/ferroamp-os-continuous-deploy/ehub-target-tests/src/ehub_target_tests/ssh_via_paramiko.py", line 18, in try_connect
client.connect(hostname, 22, username="root", sock=sock, key_filename="/home/forsberg/.ssh/robot-test-cert.pub")
File "/home/forsberg/.virtualenvs/feos-cont-deploy/lib/python3.8/site-packages/paramiko/client.py", line 435, in connect
self._auth(
File "/home/forsberg/.virtualenvs/feos-cont-deploy/lib/python3.8/site-packages/paramiko/client.py", line 678, in _auth
key = self._key_from_filepath(
File "/home/forsberg/.virtualenvs/feos-cont-deploy/lib/python3.8/site-packages/paramiko/client.py", line 598, in _key_from_filepath
key.load_certificate(cert_path)
File "/home/forsberg/.virtualenvs/feos-cont-deploy/lib/python3.8/site-packages/paramiko/pkey.py", line 652, in load_certificate
raise ValueError(err.format(blob.key_type, self.get_name()))
ValueError: PublicBlob type [email protected] incompatible with key type ssh-dss
I'm using signed ssh keys to authenticate to a host. This has worked flawlessly up until Paramiko 2.8.1, but with 2.9.0 and 2.9.1 it fails.
Example program:
robot-test-cert.pubis signed via ssh-keygen, and has the following metadata:Running this program with paramiko 2.8.1 gives the following output:
However, with paramiko 2.9.1 I instead get the following: