def test_load_EC_key_new_format(self):
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384_o.key'),
b'television')
self.assert_key_values(key, 'ecdsa-sha2-nistp384', 384,
PUB_EC_384_OPENSSH,
FINGER_EC_384_OPENSSH.split()[1],
FINGER_SHA256_EC_384_OPENSSH)
def test_load_ecdsa_password_521(self):
key = ECDSAKey.from_private_key_file(
_support("test_ecdsa_password_521.key"), b"television")
self.assertEqual("ecdsa-sha2-nistp521", key.get_name())
self.assert_key_fingerprints(key, FINGER_ECDSA_521)
self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
self.assertEqual(521, key.get_bits())
def test_certificates(self):
# NOTE: we also test 'live' use of cert auth for all key types in
# test_client.py; this and nearby cert tests are more about the gritty
# details.
# PKey.load_certificate
key_path = _support(os.path.join('cert_support', 'test_rsa.key'))
key = RSAKey.from_private_key_file(key_path)
self.assertTrue(key.public_blob is None)
cert_path = _support(
os.path.join('cert_support', 'test_rsa.key-cert.pub'))
key.load_certificate(cert_path)
self.assertTrue(key.public_blob is not None)
self.assertEqual(key.public_blob.key_type,
'*****@*****.**')
self.assertEqual(key.public_blob.comment, 'test_rsa.key.pub')
# Delve into blob contents, for test purposes
msg = Message(key.public_blob.key_blob)
self.assertEqual(msg.get_text(), '*****@*****.**')
nonce = msg.get_string() # noqa: F841
e = msg.get_mpint()
n = msg.get_mpint()
self.assertEqual(e, key.public_numbers.e)
self.assertEqual(n, key.public_numbers.n)
# Serial number
self.assertEqual(msg.get_int64(), 1234)
# Prevented from loading certificate that doesn't match
key_path = _support(os.path.join('cert_support', 'test_ecdsa_256.key'))
key1 = ECDSAKey.from_private_key_file(key_path)
self.assertRaises(
ValueError,
key1.load_certificate,
_support('test_rsa.key-cert.pub'),
)
def _set_authentication(self, password, private_key, private_key_pass):
'''Authenticate the transport. prefer password if given'''
if password is None:
# Use Private Key.
if not private_key:
# Try to use default key.
if os.path.exists(os.path.expanduser('~/.ssh/id_rsa')):
private_key = '~/.ssh/id_rsa'
elif os.path.exists(os.path.expanduser('~/.ssh/id_dsa')):
private_key = '~/.ssh/id_dsa'
else:
raise CredentialException("No password or key specified.")
if isinstance(private_key, (AgentKey, RSAKey)):
# use the paramiko agent or rsa key
self._tconnect['pkey'] = private_key
else:
# isn't a paramiko AgentKey or RSAKey, try to build a
# key from what we assume is a path to a key
private_key_file = os.path.expanduser(private_key)
try: # try rsa
self._tconnect['pkey'] = RSAKey.from_private_key_file(
private_key_file, private_key_pass)
except paramiko.SSHException: # if it fails, try dss
# pylint:disable=r0204
try:
self._tconnect['pkey'] = DSSKey.from_private_key_file(
private_key_file, private_key_pass)
except paramiko.SSHException:
self._tconnect[
'pkey'] = ECDSAKey.from_private_key_file(
private_key_file, private_key_pass)
def test_19_load_ecdsa_password_521(self):
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_password_521.key'), b'television')
self.assertEqual('ecdsa-sha2-nistp521', key.get_name())
exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(':', ''))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
self.assertEqual(521, key.get_bits())
def test_20_compare_ecdsa_521(self):
# verify that the private & public keys compare equal
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key'))
self.assertEqual(key, key)
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_11_load_ecdsa_password(self):
key = ECDSAKey.from_private_key_file('tests/test_ecdsa_password.key', 'television')
self.assertEquals(b'ecdsa-sha2-nistp256', key.get_name())
exp_ecdsa = FINGER_ECDSA.split()[1].replace(b':', b'')
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEquals(exp_ecdsa, my_ecdsa)
self.assertEquals(PUB_ECDSA.split()[1], key.get_base64())
self.assertEquals(256, key.get_bits())
def test_16_compare_ecdsa_384(self):
# verify that the private & public keys compare equal
key = ECDSAKey.from_private_key_file(_support("test_ecdsa_384.key"))
self.assertEqual(key, key)
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_12_compare_ecdsa(self):
# verify that the private & public keys compare equal
key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
self.assertEquals(key, key)
pub = ECDSAKey(data=bytes(key))
self.assert_(key.can_sign())
self.assert_(not pub.can_sign())
self.assertEquals(key, pub)
def test_15_load_ecdsa_password_384(self):
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_password_384.key'), b'television')
self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', ''))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
def test_11_load_ecdsa_password(self):
key = ECDSAKey.from_private_key_file(test_path("test_ecdsa_password.key"), b"television")
self.assertEqual("ecdsa-sha2-nistp256", key.get_name())
exp_ecdsa = b(FINGER_ECDSA.split()[1].replace(":", ""))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA.split()[1], key.get_base64())
self.assertEqual(256, key.get_bits())
def test_15_load_ecdsa_password_384(self):
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_password_384.key'), b'television')
self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', ''))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
def test_16_compare_ecdsa_384(self):
# verify that the private & public keys compare equal
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key'))
self.assertEqual(key, key)
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_12_compare_ecdsa(self):
# verify that the private & public keys compare equal
key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
self.assertEquals(key, key)
pub = ECDSAKey(data=str(key))
self.assert_(key.can_sign())
self.assert_(not pub.can_sign())
self.assertEquals(key, pub)
def test_20_compare_ecdsa_521(self):
# verify that the private & public keys compare equal
key = ECDSAKey.from_private_key_file(_support("test_ecdsa_521.key"))
self.assertEqual(key, key)
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_load_EC_key_new_format(self):
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384_o.key'),
b'television')
self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(':', ''))
my_fp = hexlify(key.get_fingerprint())
self.assertEqual(exp_fp, my_fp)
def test_11_load_ecdsa_password(self):
key = ECDSAKey.from_private_key_file('tests/test_ecdsa_password.key',
'television')
self.assertEquals('ecdsa-sha2-nistp256', key.get_name())
exp_ecdsa = FINGER_ECDSA.split()[1].replace(':', '')
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEquals(exp_ecdsa, my_ecdsa)
self.assertEquals(PUB_ECDSA.split()[1], key.get_base64())
self.assertEquals(256, key.get_bits())
def test_load_ecdsa_password_521(self):
key = ECDSAKey.from_private_key_file(
_support("test_ecdsa_password_521.key"), b"television")
self.assertEqual("ecdsa-sha2-nistp521", key.get_name())
exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(":", ""))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
self.assertEqual(521, key.get_bits())
def test_load_openssh_format_EC_key(self):
key = ECDSAKey.from_private_key_file(
_support("test_ecdsa_384_openssh.key"), b"television")
self.assertEqual("ecdsa-sha2-nistp384", key.get_name())
self.assertEqual(PUB_EC_384_OPENSSH.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
exp_fp = b(FINGER_EC_384_OPENSSH.split()[1].replace(":", ""))
my_fp = hexlify(key.get_fingerprint())
self.assertEqual(exp_fp, my_fp)
def test_19_load_ecdsa_password_521(self):
key = ECDSAKey.from_private_key_file(
_support("test_ecdsa_password_521.key"), b"television"
)
self.assertEqual("ecdsa-sha2-nistp521", key.get_name())
exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(":", ""))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
self.assertEqual(521, key.get_bits())
def test_load_ecdsa_384(self):
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384.key'))
self.assert_key_values(key, 'ecdsa-sha2-nistp384', 384, PUB_ECDSA_384,
FINGER_ECDSA_384.split()[1],
FINGER_SHA256_ECDSA_384)
s = StringIO()
key.write_private_key(s)
self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_sign_ecdsa_384(self):
# verify that the rsa private key can sign and verify
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_384.key'))
msg = key.sign_ssh_data(b'ice weasels')
self.assertTrue(type(msg) is Message)
msg.rewind()
self.assertEqual('ecdsa-sha2-nistp384', msg.get_text())
# ECDSA signatures, like DSS signatures, tend to be different
# each time, so we can't compare against a "known correct" signature.
# Even the length of the signature can change.
msg.rewind()
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
def test_load_ecdsa_384(self):
key = ECDSAKey.from_private_key_file(_support("test_ecdsa_384.key"))
self.assertEqual("ecdsa-sha2-nistp384", key.get_name())
self.assert_key_fingerprints(key, FINGER_ECDSA_384)
self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_21_sign_ecdsa_521(self):
# verify that the rsa private key can sign and verify
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key'))
msg = key.sign_ssh_data(b'ice weasels')
self.assertTrue(type(msg) is Message)
msg.rewind()
self.assertEqual('ecdsa-sha2-nistp521', msg.get_text())
# ECDSA signatures, like DSS signatures, tend to be different
# each time, so we can't compare against a "known correct"
# signature.
# Even the length of the signature can change.
msg.rewind()
pub = ECDSAKey(data=key.asbytes())
self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
def test_14_load_ecdsa_384(self):
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key'))
self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', ''))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_10_load_ecdsa(self):
key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
self.assertEquals(b'ecdsa-sha2-nistp256', key.get_name())
exp_ecdsa = FINGER_ECDSA.split()[1].replace(b':', b'')
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEquals(exp_ecdsa, my_ecdsa)
self.assertEquals(PUB_ECDSA.split()[1], key.get_base64())
self.assertEquals(256, key.get_bits())
s = BytesIO()
key.write_private_key(s)
self.assertEquals(ECDSA_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(StringIO(s.getvalue().decode()))
self.assertEquals(key, key2)
def test_load_ecdsa_521(self):
key = ECDSAKey.from_private_key_file(_support('test_ecdsa_521.key'))
self.assert_key_values(key, 'ecdsa-sha2-nistp521', 521, PUB_ECDSA_521,
FINGER_ECDSA_521.split()[1],
FINGER_SHA256_ECDSA_521)
s = StringIO()
key.write_private_key(s)
# Different versions of OpenSSL (SSLeay versions 0x1000100f and
# 0x1000207f for instance) use different apparently valid (as far as
# ssh-keygen is concerned) padding. So we can't check the actual value
# of the pem encoded key.
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_14_load_ecdsa_384(self):
key = ECDSAKey.from_private_key_file(_support("test_ecdsa_384.key"))
self.assertEqual("ecdsa-sha2-nistp384", key.get_name())
exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(":", ""))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
self.assertEqual(384, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_13_sign_ecdsa(self):
# verify that the rsa private key can sign and verify
key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
msg = key.sign_ssh_data(rng, 'ice weasels')
self.assert_(type(msg) is Message)
msg.rewind()
self.assertEquals('ecdsa-sha2-nistp256', msg.get_string())
# ECDSA signatures, like DSS signatures, tend to be different
# each time, so we can't compare against a "known correct"
# signature.
# Even the length of the signature can change.
msg.rewind()
pub = ECDSAKey(data=str(key))
self.assert_(pub.verify_ssh_sig('ice weasels', msg))
def test_10_load_ecdsa_256(self):
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_256.key'))
self.assertEqual('ecdsa-sha2-nistp256', key.get_name())
exp_ecdsa = b(FINGER_ECDSA_256.split()[1].replace(':', ''))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_256.split()[1], key.get_base64())
self.assertEqual(256, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(ECDSA_PRIVATE_OUT_256, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_13_sign_ecdsa(self):
# verify that the rsa private key can sign and verify
key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key')
msg = key.sign_ssh_data(rng, b'ice weasels')
self.assert_(type(msg) is Message)
msg.rewind()
self.assertEquals(b'ecdsa-sha2-nistp256', msg.get_string())
# ECDSA signatures, like DSS signatures, tend to be different
# each time, so we can't compare against a "known correct"
# signature.
# Even the length of the signature can change.
msg.rewind()
pub = ECDSAKey(data=bytes(key))
self.assert_(pub.verify_ssh_sig(b'ice weasels', msg))
def test_10_load_ecdsa_256(self):
key = ECDSAKey.from_private_key_file(_support("test_ecdsa_256.key"))
self.assertEqual("ecdsa-sha2-nistp256", key.get_name())
exp_ecdsa = b(FINGER_ECDSA_256.split()[1].replace(":", ""))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_256.split()[1], key.get_base64())
self.assertEqual(256, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(ECDSA_PRIVATE_OUT_256, s.getvalue())
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_18_load_ecdsa_521(self):
key = ECDSAKey.from_private_key_file(_support("test_ecdsa_521.key"))
self.assertEqual("ecdsa-sha2-nistp521", key.get_name())
exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(":", ""))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
self.assertEqual(521, key.get_bits())
s = StringIO()
key.write_private_key(s)
# Different versions of OpenSSL (SSLeay versions 0x1000100f and
# 0x1000207f for instance) use different apparently valid (as far as
# ssh-keygen is concerned) padding. So we can't check the actual value
# of the pem encoded key.
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_18_load_ecdsa_521(self):
key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key'))
self.assertEqual('ecdsa-sha2-nistp521', key.get_name())
exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(':', ''))
my_ecdsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_ecdsa, my_ecdsa)
self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
self.assertEqual(521, key.get_bits())
s = StringIO()
key.write_private_key(s)
# Different versions of OpenSSL (SSLeay versions 0x1000100f and
# 0x1000207f for instance) use different apparently valid (as far as
# ssh-keygen is concerned) padding. So we can't check the actual value
# of the pem encoded key.
s.seek(0)
key2 = ECDSAKey.from_private_key(s)
self.assertEqual(key, key2)
def test_load_ecdsa_password_521(self):
key = ECDSAKey.from_private_key_file(
_support('test_ecdsa_password_521.key'), b'television')
self.assert_key_values(key, 'ecdsa-sha2-nistp521', 521, PUB_ECDSA_521,
FINGER_ECDSA_521.split()[1],
FINGER_SHA256_ECDSA_521)
def test_load_openssh_format_EC_key(self):
key = ECDSAKey.from_private_key_file(
_support("test_ecdsa_384_openssh.key"), b"television")
self.assertEqual("ecdsa-sha2-nistp384", key.get_name())
self.assert_key_fingerprints(key, FINGER_EC_384_OPENSSH)
args = parser.parse_args()
args.local_dir = os.path.abspath(args.local_dir)
logging.basicConfig(level=logging.INFO,
format="%(asctime)s - %(message)s",
datefmt="%H:%M:%S")
logging.getLogger("paramiko.transport").setLevel(logging.ERROR)
logger = logging.getLogger()
if args.configure:
logger.info("here is where we run ansible playbooks")
exit(0)
try:
key_file = os.path.expanduser(args.identity)
private_key = ECDSAKey.from_private_key_file(key_file)
except FileNotFoundError as e:
logger.error(f"{args.identity} not found")
exit(1)
except SSHException as e:
logger.error(f"{key_file}; {e}")
exit(1)
ssh = SSHClient()
ssh.set_missing_host_key_policy(AutoAddPolicy())
ssh.load_system_host_keys()
try:
logger.info(f"connecting to {args.hostname}")
ssh.connect(args.hostname, username=args.user, pkey=private_key)
except AuthenticationException as e:
