Key handling

Parent key class

Common API for all public keys.

class paramiko.pkey.PKey(msg=None, data=None)

Base class for public keys.

Also includes some “meta” level convenience constructors such as from_type_string.

__eq__(other)

Return self==value.

__hash__()

Return hash(self).

__init__(msg=None, data=None)

Create a new instance of this public key type. If msg is given, the key’s public part(s) will be filled in from the message. If data is given, the key’s public part(s) will be filled in from the string.

Parameters

  • msg (Message) – an optional SSH Message containing a public key of this type.

  • data (bytes) – optional, the bytes of a public key of this type

Raises

SSHException – if a key cannot be created from the data or msg given, or no key was passed in.

__repr__()

Return repr(self).

__weakref__

list of weak references to the object (if defined)

property algorithm_name

Return the key algorithm identifier for this key.

Similar to get_name, but aimed at pure algorithm name instead of SSH protocol field value.

asbytes()

Return a string of an SSH Message made up of the public part(s) of this key. This string is suitable for passing to __init__ to re-create the key object later.

can_sign()

Return True if this key has the private part necessary for signing data.

property fingerprint

Modern fingerprint property designed to be comparable to OpenSSH.

Currently only does SHA256 (the OpenSSH default).

New in version 3.2.

static from_path(path, passphrase=None)

Attempt to instantiate appropriate key subclass from given file path.

Parameters

path (Path) – The path to load (may also be a str).

Returns

A PKey subclass instance.

Raises

UnknownKeyType, if our crypto backend doesn’t know this key type.

New in version 3.2.

classmethod from_private_key(file_obj, password=None)

Create a key object by reading a private key from a file (or file-like) object. If the private key is encrypted and password is not None, the given password will be used to decrypt the key (otherwise PasswordRequiredException is thrown).

Parameters

  • file_obj – the file-like object to read from

  • password (str) – an optional password to use to decrypt the key, if it’s encrypted

Returns

a new PKey based on the given private key

Raises

IOError – if there was an error reading the key

Raises

PasswordRequiredException – if the private key file is encrypted, and password is None

Raises

SSHException – if the key file is invalid

classmethod from_private_key_file(filename, password=None)

Create a key object by reading a private key file. If the private key is encrypted and password is not None, the given password will be used to decrypt the key (otherwise PasswordRequiredException is thrown). Through the magic of Python, this factory method will exist in all subclasses of PKey (such as RSAKey or DSSKey), but is useless on the abstract PKey class.

Parameters

  • filename (str) – name of the file to read

  • password (str) – an optional password to use to decrypt the key file, if it’s encrypted

Returns

a new PKey based on the given private key

Raises

IOError – if there was an error reading the file

Raises

PasswordRequiredException – if the private key file is encrypted, and password is None

Raises

SSHException – if the key file is invalid

static from_type_string(key_type, key_bytes)

Given type str & raw bytes, return a PKey subclass instance.

For example, PKey.from_type_string("ssh-ed25519", <public bytes>) will (if successful) return a new Ed25519Key.

Parameters

  • key_type (str) – The key type, eg "ssh-ed25519".

  • key_bytes (bytes) – The raw byte data forming the key material, as expected by subclasses’ data parameter.

Returns

A PKey subclass instance.

Raises

UnknownKeyType, if no registered classes knew about this type.

New in version 3.2.

get_base64()

Return a base64 string containing the public part of this key. Nothing secret is revealed. This format is compatible with that used to store public key files or recognized host keys.

Returns

a base64 string containing the public part of the key.

get_bits()

Return the number of significant bits in this key. This is useful for judging the relative security of a key.

Returns

bits in the key (as an int)

get_fingerprint()

Return an MD5 fingerprint of the public part of this key. Nothing secret is revealed.

Returns

a 16-byte string (binary) of the MD5 fingerprint, in SSH format.

get_name()

Return the name of this private key implementation.

Returns

name of this private key type, in SSH terminology, as a str (for example, "ssh-rsa").

classmethod identifiers()

returns an iterable of key format/name strings this class can handle.

Most classes only have a single identifier, and thus this default implementation suffices; see ECDSAKey for one example of an override.

load_certificate(value)

Supplement the private key contents with data loaded from an OpenSSH public key (.pub) or certificate (-cert.pub) file, a string containing such a file, or a Message object.

The .pub contents adds no real value, since the private key file includes sufficient information to derive the public key info. For certificates, however, this can be used on the client side to offer authentication requests to the server based on certificate instead of raw public key.

See: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys

Note: very little effort is made to validate the certificate contents, that is for the server to decide if it is good enough to authenticate successfully.

sign_ssh_data(data, algorithm=None)

Sign a blob of data with this private key, and return a Message representing an SSH signature message.

Parameters

  • data (bytes) – the data to sign.

  • algorithm (str) – the signature algorithm to use, if different from the key’s internal name. Default: None.

Returns

an SSH signature message.

Changed in version 2.9: Added the algorithm kwarg.

verify_ssh_sig(data, msg)

Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key.

Parameters

  • data (bytes) – the data that was signed.

  • msg (Message) – an SSH signature message

Returns

True if the signature verifies correctly; False otherwise.

write_private_key(file_obj, password=None)

Write private key contents into a file (or file-like) object. If the password is not None, the key is encrypted before writing.

Parameters

  • file_obj – the file-like object to write into

  • password (str) – an optional password to use to encrypt the key

Raises

IOError – if there was an error writing to the file

Raises

SSHException – if the key is invalid

write_private_key_file(filename, password=None)

Write private key contents into a file. If the password is not None, the key is encrypted before writing.

Parameters

  • filename (str) – name of the file to write

  • password (str) – an optional password to use to encrypt the key file

Raises

IOError – if there was an error writing the file

Raises

SSHException – if the key is invalid

class paramiko.pkey.PublicBlob(type_, blob, comment=None)

OpenSSH plain public key or OpenSSH signed public key (certificate).

Tries to be as dumb as possible and barely cares about specific per-key-type data.

Note

Most of the time you’ll want to call from_file, from_string or from_message for useful instantiation, the main constructor is basically “I should be using attrs for this.”

__eq__(other)

Return self==value.

__hash__ = None
__init__(type_, blob, comment=None)

Create a new public blob of given type and contents.

Parameters

  • type (str) – Type indicator, eg ssh-rsa.

  • blob (bytes) – The blob bytes themselves.

  • comment (str) – A comment, if one was given (e.g. file-based.)

__ne__(other)

Return self!=value.

__str__()

Return str(self).

__weakref__

list of weak references to the object (if defined)

classmethod from_file(filename)

Create a public blob from a -cert.pub-style file on disk.

classmethod from_message(message)

Create a public blob from a network Message.

Specifically, a cert-bearing pubkey auth packet, because by definition OpenSSH-style certificates ‘are’ their own network representation.”

classmethod from_string(string)

Create a public blob from a -cert.pub-style string.

exception paramiko.pkey.UnknownKeyType(key_type=None, key_bytes=None)

An unknown public/private key algorithm was attempted to be read.

__init__(key_type=None, key_bytes=None)
__str__()

Return str(self).

__weakref__

list of weak references to the object (if defined)

DSA (DSS)

DSS keys.

class paramiko.dsskey.DSSKey(msg=None, data=None, filename=None, password=None, vals=None, file_obj=None)

Representation of a DSS key which can be used to sign an verify SSH2 data.

__init__(msg=None, data=None, filename=None, password=None, vals=None, file_obj=None)

Create a new instance of this public key type. If msg is given, the key’s public part(s) will be filled in from the message. If data is given, the key’s public part(s) will be filled in from the string.

Parameters

  • msg (Message) – an optional SSH Message containing a public key of this type.

  • data (bytes) – optional, the bytes of a public key of this type

Raises

SSHException – if a key cannot be created from the data or msg given, or no key was passed in.

__str__()

Return str(self).

asbytes()

Return a string of an SSH Message made up of the public part(s) of this key. This string is suitable for passing to __init__ to re-create the key object later.

can_sign()

Return True if this key has the private part necessary for signing data.

static generate(bits=1024, progress_func=None)

Generate a new private DSS key. This factory function can be used to generate a new host key or authentication key.

Parameters

  • bits (int) – number of bits the generated key should be.

  • progress_func – Unused

Returns

new DSSKey private key

get_bits()

Return the number of significant bits in this key. This is useful for judging the relative security of a key.

Returns

bits in the key (as an int)

get_name()

Return the name of this private key implementation.

Returns

name of this private key type, in SSH terminology, as a str (for example, "ssh-rsa").

sign_ssh_data(data, algorithm=None)

Sign a blob of data with this private key, and return a Message representing an SSH signature message.

Parameters

  • data (bytes) – the data to sign.

  • algorithm (str) – the signature algorithm to use, if different from the key’s internal name. Default: None.

Returns

an SSH signature message.

Changed in version 2.9: Added the algorithm kwarg.

verify_ssh_sig(data, msg)

Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key.

Parameters

  • data (bytes) – the data that was signed.

  • msg (Message) – an SSH signature message

Returns

True if the signature verifies correctly; False otherwise.

write_private_key(file_obj, password=None)

Write private key contents into a file (or file-like) object. If the password is not None, the key is encrypted before writing.

Parameters

  • file_obj – the file-like object to write into

  • password (str) – an optional password to use to encrypt the key

Raises

IOError – if there was an error writing to the file

Raises

SSHException – if the key is invalid

write_private_key_file(filename, password=None)

Write private key contents into a file. If the password is not None, the key is encrypted before writing.

Parameters

  • filename (str) – name of the file to write

  • password (str) – an optional password to use to encrypt the key file

Raises

IOError – if there was an error writing the file

Raises

SSHException – if the key is invalid

RSA

RSA keys.

class paramiko.rsakey.RSAKey(msg=None, data=None, filename=None, password=None, key=None, file_obj=None)

Representation of an RSA key which can be used to sign and verify SSH2 data.

__init__(msg=None, data=None, filename=None, password=None, key=None, file_obj=None)

Create a new instance of this public key type. If msg is given, the key’s public part(s) will be filled in from the message. If data is given, the key’s public part(s) will be filled in from the string.

Parameters

  • msg (Message) – an optional SSH Message containing a public key of this type.

  • data (bytes) – optional, the bytes of a public key of this type

Raises

SSHException – if a key cannot be created from the data or msg given, or no key was passed in.

__str__()

Return str(self).

asbytes()

Return a string of an SSH Message made up of the public part(s) of this key. This string is suitable for passing to __init__ to re-create the key object later.

can_sign()

Return True if this key has the private part necessary for signing data.

static generate(bits, progress_func=None)

Generate a new private RSA key. This factory function can be used to generate a new host key or authentication key.

Parameters

  • bits (int) – number of bits the generated key should be.

  • progress_func – Unused

Returns

new RSAKey private key

get_bits()

Return the number of significant bits in this key. This is useful for judging the relative security of a key.

Returns

bits in the key (as an int)

get_name()

Return the name of this private key implementation.

Returns

name of this private key type, in SSH terminology, as a str (for example, "ssh-rsa").

classmethod identifiers()

returns an iterable of key format/name strings this class can handle.

Most classes only have a single identifier, and thus this default implementation suffices; see ECDSAKey for one example of an override.

sign_ssh_data(data, algorithm=None)

Sign a blob of data with this private key, and return a Message representing an SSH signature message.

Parameters

  • data (bytes) – the data to sign.

  • algorithm (str) – the signature algorithm to use, if different from the key’s internal name. Default: None.

Returns

an SSH signature message.

Changed in version 2.9: Added the algorithm kwarg.

verify_ssh_sig(data, msg)

Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key.

Parameters

  • data (bytes) – the data that was signed.

  • msg (Message) – an SSH signature message

Returns

True if the signature verifies correctly; False otherwise.

write_private_key(file_obj, password=None)

Write private key contents into a file (or file-like) object. If the password is not None, the key is encrypted before writing.

Parameters

  • file_obj – the file-like object to write into

  • password (str) – an optional password to use to encrypt the key

Raises

IOError – if there was an error writing to the file

Raises

SSHException – if the key is invalid

write_private_key_file(filename, password=None)

Write private key contents into a file. If the password is not None, the key is encrypted before writing.

Parameters

  • filename (str) – name of the file to write

  • password (str) – an optional password to use to encrypt the key file

Raises

IOError – if there was an error writing the file

Raises

SSHException – if the key is invalid

ECDSA

ECDSA keys

class paramiko.ecdsakey.ECDSAKey(msg=None, data=None, filename=None, password=None, vals=None, file_obj=None, validate_point=True)

Representation of an ECDSA key which can be used to sign and verify SSH2 data.

__init__(msg=None, data=None, filename=None, password=None, vals=None, file_obj=None, validate_point=True)

Create a new instance of this public key type. If msg is given, the key’s public part(s) will be filled in from the message. If data is given, the key’s public part(s) will be filled in from the string.

Parameters

  • msg (Message) – an optional SSH Message containing a public key of this type.

  • data (bytes) – optional, the bytes of a public key of this type

Raises

SSHException – if a key cannot be created from the data or msg given, or no key was passed in.

__str__()

Return str(self).

asbytes()

Return a string of an SSH Message made up of the public part(s) of this key. This string is suitable for passing to __init__ to re-create the key object later.

can_sign()

Return True if this key has the private part necessary for signing data.

classmethod generate(curve=<cryptography.hazmat.primitives.asymmetric.ec.SECP256R1 object>, progress_func=None, bits=None)

Generate a new private ECDSA key. This factory function can be used to generate a new host key or authentication key.

Parameters

progress_func – Not used for this type of key.

Returns

A new private key (ECDSAKey) object

get_bits()

Return the number of significant bits in this key. This is useful for judging the relative security of a key.

Returns

bits in the key (as an int)

get_name()

Return the name of this private key implementation.

Returns

name of this private key type, in SSH terminology, as a str (for example, "ssh-rsa").

classmethod identifiers()

returns an iterable of key format/name strings this class can handle.

Most classes only have a single identifier, and thus this default implementation suffices; see ECDSAKey for one example of an override.

sign_ssh_data(data, algorithm=None)

Sign a blob of data with this private key, and return a Message representing an SSH signature message.

Parameters

  • data (bytes) – the data to sign.

  • algorithm (str) – the signature algorithm to use, if different from the key’s internal name. Default: None.

Returns

an SSH signature message.

Changed in version 2.9: Added the algorithm kwarg.

verify_ssh_sig(data, msg)

Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key.

Parameters

  • data (bytes) – the data that was signed.

  • msg (Message) – an SSH signature message

Returns

True if the signature verifies correctly; False otherwise.

write_private_key(file_obj, password=None)

Write private key contents into a file (or file-like) object. If the password is not None, the key is encrypted before writing.

Parameters

  • file_obj – the file-like object to write into

  • password (str) – an optional password to use to encrypt the key

Raises

IOError – if there was an error writing to the file

Raises

SSHException – if the key is invalid

write_private_key_file(filename, password=None)

Write private key contents into a file. If the password is not None, the key is encrypted before writing.

Parameters

  • filename (str) – name of the file to write

  • password (str) – an optional password to use to encrypt the key file

Raises

IOError – if there was an error writing the file

Raises

SSHException – if the key is invalid

Ed25519

class paramiko.ed25519key.Ed25519Key(msg=None, data=None, filename=None, password=None, file_obj=None)

Representation of an Ed25519 key.

Note

Ed25519 key support was added to OpenSSH in version 6.5.

New in version 2.2.

Changed in version 2.3: Added a file_obj parameter to match other key classes.

__init__(msg=None, data=None, filename=None, password=None, file_obj=None)

Create a new instance of this public key type. If msg is given, the key’s public part(s) will be filled in from the message. If data is given, the key’s public part(s) will be filled in from the string.

Parameters

  • msg (Message) – an optional SSH Message containing a public key of this type.

  • data (bytes) – optional, the bytes of a public key of this type

Raises

SSHException – if a key cannot be created from the data or msg given, or no key was passed in.

asbytes()

Return a string of an SSH Message made up of the public part(s) of this key. This string is suitable for passing to __init__ to re-create the key object later.

can_sign()

Return True if this key has the private part necessary for signing data.

get_bits()

Return the number of significant bits in this key. This is useful for judging the relative security of a key.

Returns

bits in the key (as an int)

get_name()

Return the name of this private key implementation.

Returns

name of this private key type, in SSH terminology, as a str (for example, "ssh-rsa").

sign_ssh_data(data, algorithm=None)

Sign a blob of data with this private key, and return a Message representing an SSH signature message.

Parameters

  • data (bytes) – the data to sign.

  • algorithm (str) – the signature algorithm to use, if different from the key’s internal name. Default: None.

Returns

an SSH signature message.

Changed in version 2.9: Added the algorithm kwarg.

verify_ssh_sig(data, msg)

Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key.

Parameters

  • data (bytes) – the data that was signed.

  • msg (Message) – an SSH signature message

Returns

True if the signature verifies correctly; False otherwise.