def test_load_EC_key_new_format(self): key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384_o.key'), b'television') self.assert_key_values(key, 'ecdsa-sha2-nistp384', 384, PUB_EC_384_OPENSSH, FINGER_EC_384_OPENSSH.split()[1], FINGER_SHA256_EC_384_OPENSSH)
def test_load_ecdsa_password_521(self): key = ECDSAKey.from_private_key_file( _support("test_ecdsa_password_521.key"), b"television") self.assertEqual("ecdsa-sha2-nistp521", key.get_name()) self.assert_key_fingerprints(key, FINGER_ECDSA_521) self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64()) self.assertEqual(521, key.get_bits())
def test_certificates(self): # NOTE: we also test 'live' use of cert auth for all key types in # test_client.py; this and nearby cert tests are more about the gritty # details. # PKey.load_certificate key_path = _support(os.path.join('cert_support', 'test_rsa.key')) key = RSAKey.from_private_key_file(key_path) self.assertTrue(key.public_blob is None) cert_path = _support( os.path.join('cert_support', 'test_rsa.key-cert.pub')) key.load_certificate(cert_path) self.assertTrue(key.public_blob is not None) self.assertEqual(key.public_blob.key_type, '*****@*****.**') self.assertEqual(key.public_blob.comment, 'test_rsa.key.pub') # Delve into blob contents, for test purposes msg = Message(key.public_blob.key_blob) self.assertEqual(msg.get_text(), '*****@*****.**') nonce = msg.get_string() # noqa: F841 e = msg.get_mpint() n = msg.get_mpint() self.assertEqual(e, key.public_numbers.e) self.assertEqual(n, key.public_numbers.n) # Serial number self.assertEqual(msg.get_int64(), 1234) # Prevented from loading certificate that doesn't match key_path = _support(os.path.join('cert_support', 'test_ecdsa_256.key')) key1 = ECDSAKey.from_private_key_file(key_path) self.assertRaises( ValueError, key1.load_certificate, _support('test_rsa.key-cert.pub'), )
def _set_authentication(self, password, private_key, private_key_pass): '''Authenticate the transport. prefer password if given''' if password is None: # Use Private Key. if not private_key: # Try to use default key. if os.path.exists(os.path.expanduser('~/.ssh/id_rsa')): private_key = '~/.ssh/id_rsa' elif os.path.exists(os.path.expanduser('~/.ssh/id_dsa')): private_key = '~/.ssh/id_dsa' else: raise CredentialException("No password or key specified.") if isinstance(private_key, (AgentKey, RSAKey)): # use the paramiko agent or rsa key self._tconnect['pkey'] = private_key else: # isn't a paramiko AgentKey or RSAKey, try to build a # key from what we assume is a path to a key private_key_file = os.path.expanduser(private_key) try: # try rsa self._tconnect['pkey'] = RSAKey.from_private_key_file( private_key_file, private_key_pass) except paramiko.SSHException: # if it fails, try dss # pylint:disable=r0204 try: self._tconnect['pkey'] = DSSKey.from_private_key_file( private_key_file, private_key_pass) except paramiko.SSHException: self._tconnect[ 'pkey'] = ECDSAKey.from_private_key_file( private_key_file, private_key_pass)
def test_19_load_ecdsa_password_521(self): key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_password_521.key'), b'television') self.assertEqual('ecdsa-sha2-nistp521', key.get_name()) exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(':', '')) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64()) self.assertEqual(521, key.get_bits())
def test_20_compare_ecdsa_521(self): # verify that the private & public keys compare equal key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key')) self.assertEqual(key, key) pub = ECDSAKey(data=key.asbytes()) self.assertTrue(key.can_sign()) self.assertTrue(not pub.can_sign()) self.assertEqual(key, pub)
def test_11_load_ecdsa_password(self): key = ECDSAKey.from_private_key_file('tests/test_ecdsa_password.key', 'television') self.assertEquals(b'ecdsa-sha2-nistp256', key.get_name()) exp_ecdsa = FINGER_ECDSA.split()[1].replace(b':', b'') my_ecdsa = hexlify(key.get_fingerprint()) self.assertEquals(exp_ecdsa, my_ecdsa) self.assertEquals(PUB_ECDSA.split()[1], key.get_base64()) self.assertEquals(256, key.get_bits())
def test_16_compare_ecdsa_384(self): # verify that the private & public keys compare equal key = ECDSAKey.from_private_key_file(_support("test_ecdsa_384.key")) self.assertEqual(key, key) pub = ECDSAKey(data=key.asbytes()) self.assertTrue(key.can_sign()) self.assertTrue(not pub.can_sign()) self.assertEqual(key, pub)
def test_12_compare_ecdsa(self): # verify that the private & public keys compare equal key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') self.assertEquals(key, key) pub = ECDSAKey(data=bytes(key)) self.assert_(key.can_sign()) self.assert_(not pub.can_sign()) self.assertEquals(key, pub)
def test_15_load_ecdsa_password_384(self): key = ECDSAKey.from_private_key_file(_support('test_ecdsa_password_384.key'), b'television') self.assertEqual('ecdsa-sha2-nistp384', key.get_name()) exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', '')) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits())
def test_11_load_ecdsa_password(self): key = ECDSAKey.from_private_key_file(test_path("test_ecdsa_password.key"), b"television") self.assertEqual("ecdsa-sha2-nistp256", key.get_name()) exp_ecdsa = b(FINGER_ECDSA.split()[1].replace(":", "")) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA.split()[1], key.get_base64()) self.assertEqual(256, key.get_bits())
def test_15_load_ecdsa_password_384(self): key = ECDSAKey.from_private_key_file(_support('test_ecdsa_password_384.key'), b'television') self.assertEqual('ecdsa-sha2-nistp384', key.get_name()) exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', '')) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits())
def test_16_compare_ecdsa_384(self): # verify that the private & public keys compare equal key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key')) self.assertEqual(key, key) pub = ECDSAKey(data=key.asbytes()) self.assertTrue(key.can_sign()) self.assertTrue(not pub.can_sign()) self.assertEqual(key, pub)
def test_12_compare_ecdsa(self): # verify that the private & public keys compare equal key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') self.assertEquals(key, key) pub = ECDSAKey(data=str(key)) self.assert_(key.can_sign()) self.assert_(not pub.can_sign()) self.assertEquals(key, pub)
def test_20_compare_ecdsa_521(self): # verify that the private & public keys compare equal key = ECDSAKey.from_private_key_file(_support("test_ecdsa_521.key")) self.assertEqual(key, key) pub = ECDSAKey(data=key.asbytes()) self.assertTrue(key.can_sign()) self.assertTrue(not pub.can_sign()) self.assertEqual(key, pub)
def test_load_EC_key_new_format(self): key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384_o.key'), b'television') self.assertEqual('ecdsa-sha2-nistp384', key.get_name()) self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits()) exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(':', '')) my_fp = hexlify(key.get_fingerprint()) self.assertEqual(exp_fp, my_fp)
def test_11_load_ecdsa_password(self): key = ECDSAKey.from_private_key_file('tests/test_ecdsa_password.key', 'television') self.assertEquals('ecdsa-sha2-nistp256', key.get_name()) exp_ecdsa = FINGER_ECDSA.split()[1].replace(':', '') my_ecdsa = hexlify(key.get_fingerprint()) self.assertEquals(exp_ecdsa, my_ecdsa) self.assertEquals(PUB_ECDSA.split()[1], key.get_base64()) self.assertEquals(256, key.get_bits())
def test_load_ecdsa_password_521(self): key = ECDSAKey.from_private_key_file( _support("test_ecdsa_password_521.key"), b"television") self.assertEqual("ecdsa-sha2-nistp521", key.get_name()) exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(":", "")) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64()) self.assertEqual(521, key.get_bits())
def test_load_openssh_format_EC_key(self): key = ECDSAKey.from_private_key_file( _support("test_ecdsa_384_openssh.key"), b"television") self.assertEqual("ecdsa-sha2-nistp384", key.get_name()) self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits()) exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(":", "")) my_fp = hexlify(key.get_fingerprint()) self.assertEqual(exp_fp, my_fp)
def test_19_load_ecdsa_password_521(self): key = ECDSAKey.from_private_key_file( _support("test_ecdsa_password_521.key"), b"television" ) self.assertEqual("ecdsa-sha2-nistp521", key.get_name()) exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(":", "")) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64()) self.assertEqual(521, key.get_bits())
def test_load_ecdsa_384(self): key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384.key')) self.assert_key_values(key, 'ecdsa-sha2-nistp384', 384, PUB_ECDSA_384, FINGER_ECDSA_384.split()[1], FINGER_SHA256_ECDSA_384) s = StringIO() key.write_private_key(s) self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_sign_ecdsa_384(self): # verify that the rsa private key can sign and verify key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384.key')) msg = key.sign_ssh_data(b'ice weasels') self.assertTrue(type(msg) is Message) msg.rewind() self.assertEqual('ecdsa-sha2-nistp384', msg.get_text()) # ECDSA signatures, like DSS signatures, tend to be different # each time, so we can't compare against a "known correct" signature. # Even the length of the signature can change. msg.rewind() pub = ECDSAKey(data=key.asbytes()) self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
def test_load_ecdsa_384(self): key = ECDSAKey.from_private_key_file(_support("test_ecdsa_384.key")) self.assertEqual("ecdsa-sha2-nistp384", key.get_name()) self.assert_key_fingerprints(key, FINGER_ECDSA_384) self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits()) s = StringIO() key.write_private_key(s) self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_21_sign_ecdsa_521(self): # verify that the rsa private key can sign and verify key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key')) msg = key.sign_ssh_data(b'ice weasels') self.assertTrue(type(msg) is Message) msg.rewind() self.assertEqual('ecdsa-sha2-nistp521', msg.get_text()) # ECDSA signatures, like DSS signatures, tend to be different # each time, so we can't compare against a "known correct" # signature. # Even the length of the signature can change. msg.rewind() pub = ECDSAKey(data=key.asbytes()) self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
def test_14_load_ecdsa_384(self): key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key')) self.assertEqual('ecdsa-sha2-nistp384', key.get_name()) exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', '')) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits()) s = StringIO() key.write_private_key(s) self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_10_load_ecdsa(self): key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') self.assertEquals(b'ecdsa-sha2-nistp256', key.get_name()) exp_ecdsa = FINGER_ECDSA.split()[1].replace(b':', b'') my_ecdsa = hexlify(key.get_fingerprint()) self.assertEquals(exp_ecdsa, my_ecdsa) self.assertEquals(PUB_ECDSA.split()[1], key.get_base64()) self.assertEquals(256, key.get_bits()) s = BytesIO() key.write_private_key(s) self.assertEquals(ECDSA_PRIVATE_OUT, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(StringIO(s.getvalue().decode())) self.assertEquals(key, key2)
def test_load_ecdsa_521(self): key = ECDSAKey.from_private_key_file(_support('test_ecdsa_521.key')) self.assert_key_values(key, 'ecdsa-sha2-nistp521', 521, PUB_ECDSA_521, FINGER_ECDSA_521.split()[1], FINGER_SHA256_ECDSA_521) s = StringIO() key.write_private_key(s) # Different versions of OpenSSL (SSLeay versions 0x1000100f and # 0x1000207f for instance) use different apparently valid (as far as # ssh-keygen is concerned) padding. So we can't check the actual value # of the pem encoded key. s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_14_load_ecdsa_384(self): key = ECDSAKey.from_private_key_file(_support("test_ecdsa_384.key")) self.assertEqual("ecdsa-sha2-nistp384", key.get_name()) exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(":", "")) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64()) self.assertEqual(384, key.get_bits()) s = StringIO() key.write_private_key(s) self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_13_sign_ecdsa(self): # verify that the rsa private key can sign and verify key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') msg = key.sign_ssh_data(rng, 'ice weasels') self.assert_(type(msg) is Message) msg.rewind() self.assertEquals('ecdsa-sha2-nistp256', msg.get_string()) # ECDSA signatures, like DSS signatures, tend to be different # each time, so we can't compare against a "known correct" # signature. # Even the length of the signature can change. msg.rewind() pub = ECDSAKey(data=str(key)) self.assert_(pub.verify_ssh_sig('ice weasels', msg))
def test_10_load_ecdsa_256(self): key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_256.key')) self.assertEqual('ecdsa-sha2-nistp256', key.get_name()) exp_ecdsa = b(FINGER_ECDSA_256.split()[1].replace(':', '')) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_256.split()[1], key.get_base64()) self.assertEqual(256, key.get_bits()) s = StringIO() key.write_private_key(s) self.assertEqual(ECDSA_PRIVATE_OUT_256, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_13_sign_ecdsa(self): # verify that the rsa private key can sign and verify key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') msg = key.sign_ssh_data(rng, b'ice weasels') self.assert_(type(msg) is Message) msg.rewind() self.assertEquals(b'ecdsa-sha2-nistp256', msg.get_string()) # ECDSA signatures, like DSS signatures, tend to be different # each time, so we can't compare against a "known correct" # signature. # Even the length of the signature can change. msg.rewind() pub = ECDSAKey(data=bytes(key)) self.assert_(pub.verify_ssh_sig(b'ice weasels', msg))
def test_10_load_ecdsa_256(self): key = ECDSAKey.from_private_key_file(_support("test_ecdsa_256.key")) self.assertEqual("ecdsa-sha2-nistp256", key.get_name()) exp_ecdsa = b(FINGER_ECDSA_256.split()[1].replace(":", "")) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_256.split()[1], key.get_base64()) self.assertEqual(256, key.get_bits()) s = StringIO() key.write_private_key(s) self.assertEqual(ECDSA_PRIVATE_OUT_256, s.getvalue()) s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_18_load_ecdsa_521(self): key = ECDSAKey.from_private_key_file(_support("test_ecdsa_521.key")) self.assertEqual("ecdsa-sha2-nistp521", key.get_name()) exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(":", "")) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64()) self.assertEqual(521, key.get_bits()) s = StringIO() key.write_private_key(s) # Different versions of OpenSSL (SSLeay versions 0x1000100f and # 0x1000207f for instance) use different apparently valid (as far as # ssh-keygen is concerned) padding. So we can't check the actual value # of the pem encoded key. s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_18_load_ecdsa_521(self): key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key')) self.assertEqual('ecdsa-sha2-nistp521', key.get_name()) exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(':', '')) my_ecdsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_ecdsa, my_ecdsa) self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64()) self.assertEqual(521, key.get_bits()) s = StringIO() key.write_private_key(s) # Different versions of OpenSSL (SSLeay versions 0x1000100f and # 0x1000207f for instance) use different apparently valid (as far as # ssh-keygen is concerned) padding. So we can't check the actual value # of the pem encoded key. s.seek(0) key2 = ECDSAKey.from_private_key(s) self.assertEqual(key, key2)
def test_load_ecdsa_password_521(self): key = ECDSAKey.from_private_key_file( _support('test_ecdsa_password_521.key'), b'television') self.assert_key_values(key, 'ecdsa-sha2-nistp521', 521, PUB_ECDSA_521, FINGER_ECDSA_521.split()[1], FINGER_SHA256_ECDSA_521)
def test_load_openssh_format_EC_key(self): key = ECDSAKey.from_private_key_file( _support("test_ecdsa_384_openssh.key"), b"television") self.assertEqual("ecdsa-sha2-nistp384", key.get_name()) self.assert_key_fingerprints(key, FINGER_EC_384_OPENSSH)
args = parser.parse_args() args.local_dir = os.path.abspath(args.local_dir) logging.basicConfig(level=logging.INFO, format="%(asctime)s - %(message)s", datefmt="%H:%M:%S") logging.getLogger("paramiko.transport").setLevel(logging.ERROR) logger = logging.getLogger() if args.configure: logger.info("here is where we run ansible playbooks") exit(0) try: key_file = os.path.expanduser(args.identity) private_key = ECDSAKey.from_private_key_file(key_file) except FileNotFoundError as e: logger.error(f"{args.identity} not found") exit(1) except SSHException as e: logger.error(f"{key_file}; {e}") exit(1) ssh = SSHClient() ssh.set_missing_host_key_policy(AutoAddPolicy()) ssh.load_system_host_keys() try: logger.info(f"connecting to {args.hostname}") ssh.connect(args.hostname, username=args.user, pkey=private_key) except AuthenticationException as e: