[Twisted-Python] Need help with SSHUserAuthClient keyfile and passphrase

Stephen McRoberts steveo at mcroberts.org
Tue Jul 11 12:02:35 MDT 2017


My auth code works for a public keyfile on my local servers but I can't get it to work with a private key.

***Here's an ssh debug list when I login at the console (not twisted):
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sten/.ssh/mcroberts.org-rsa
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key
Enter passphrase for key '/home/sten/.ssh/myserver.com-rsa': 
debug1: Authentication succeeded (publickey).

***Here's my twisted log:
2017-07-11 12:47:03-0500 [] can continue with: ['publickey', 'password']
2017-07-11 12:47:03-0500 [] trying to auth with publickey
2017-07-11 12:47:03-0500 [] KeyFileAuth.getPublicKey
2017-07-11 12:47:03-0500 []    pubkeyfile=None
2017-07-11 12:47:03-0500 [] KeyFileAuth.getPrivateKey
2017-07-11 12:47:03-0500 []    /home/steve/.ssh/mcroberts.org-rsa is encrypted - looking for passphrase
2017-07-11 12:47:03-0500 [] trying to auth with password

Note that they both only ask for  ['publickey', 'password']. My following code attempts the same but fails.
Here's my source code. This is called from the SSHConnection class before starting service. The verify host is already done.

class KeyFileAuth(userauth.SSHUserAuthClient):
    #https://twistedmatrix.com/documents/current/api/twisted.conch.ssh.userauth.SSHUserAuthClient.html
    #http://twistedmatrix.com/documents/current/api/twisted.conch.ssh.keys.Key.html

    def __init__(self, config, user, instance):
        self.config = config
        self.user = user
        log.msg("KeyFileAuth - requesting auth for user %s @ %s" % (user,config.get('host')), level=logging.DEBUG)
        userauth.SSHUserAuthClient.__init__(self,user,instance)
    
    #--------------------------
    def getPublicKey(self):
        log.msg("KeyFileAuth.getPublicKey", level=logging.DEBUG)
        kf = self.config.get('pubkeyfile')
        log.msg("   pubkeyfile=%s" % (kf), level=logging.DEBUG)
        if kf is not None:
            try:
                if kf.startswith('~'):
                    kf = os.path.expanduser(kf)
                if not os.path.exists(kf):
                    msg = "   No such pubkeyfile=%s" % (kf)
                    return defer.fail(msg)
            except Exception as e:
                log.err("   provided pubkeyfile=%s raised %s" % (kf,e))
                return defer.fail(msg)
        #
        # no apparent public keyfile in config
        # private keyfile - this is the way ssh -v shows it done as in:
        #     debug1: Authentications that can continue: publickey,password
        #     debug1: Next authentication method: publickey
        #     debug1: Trying private key: /home/steve/.ssh/awebsite.com-rsa
        #
        elif self.config.get('keyfile') is not None:
            return self.getPrivateKey()
        return defer.fail("KeyFileAuth.getPublicKey out of options")
    
    #--------------------------
    def getPrivateKey(self):
        log.msg("KeyFileAuth.getPrivateKey", level=logging.DEBUG)
        kf = self.config.get('keyfile')
        if kf is not None:
            try:
                if kf.startswith('~'):
                    kf = os.path.expanduser(kf)
                if not os.path.exists(kf):
                    msg = "   No such keyfile=%s" % (kf)
                    return defer.fail(msg)
            except Exception as e:
                msg = "   provided keyfile=%s raised %s" % (kf,e)
                return defer.fail(msg)
        try:
            return defer.succeed(keys.Key.fromFile(kf))
        except keys.EncryptedKeyError:
            log.msg("   %s is encrypted - looking for passphrase" % (kf), level=logging.INFO)
            if self.config.get('passphrase'):
                passphrase = self.config.get('passphrase')
                return defer.succeed(keys.Key.fromFile(kf, passphrase))
            else:
                msg = "   No passphrase found for keyfile=%s" % (kf)
                return defer.fail(msg)
        except Exception as e:
            msg = "   keyfile=%s raised %s" % (kf,e)
            return defer.fail(msg)
        return defer.fail("KeyFileAuth.getPrivateKey out of options")




More information about the Twisted-Python mailing list