Basically, I want the result of

base64.b64encode(my_public_key._decoded_key)

except that this relies on the internal attribute SSHKey._decoded_key. If I could access my_public_key._decoded_key directly, that would work as well.

My use case is that I am given a list of SSH fingerprints in the format printed by ssh-add -L, and I have to figure out whether a given key is registered in the agent or not, based on the public key file which I'm parsing using python-sshpubkeys.

I'm trying to package your module as an rpm package. So I'm using the typical PEP517 based build, install and test cycle used on building packages from non-root account.

• python3 -sBm build -w --no-isolation
• because I'm calling build with --no-isolation I'm using during all processes only locally installed modules
• install .whl file in </install/prefix>
• run pytest with PYTHONPATH pointing to sitearch and sitelib inside </install/prefix>

I see that files in tests/ are using unittest whic pytest can handle if test suite is correctly written.
Nevertheless IMPO it woiuld be better to migrate to pytest because unittest is not maintained (this is why +95% of all modules test suite are using already pytest).

Here is pytest output:

+ PYTHONPATH=/home/tkloczko/rpmbuild/BUILDROOT/python-sshpubkeys-3.3.1-14.fc35.x86_64/usr/lib64/python3.8/site-packages:/home/tkloczko/rpmbuild/BUILDROOT/python-sshpubkeys-3.3.1-14.fc35.x86_64/usr/lib/python3.8/site-packages
+ /usr/bin/pytest -ra
==================================================================== test session starts =====================================================================
platform linux -- Python 3.8.13, pytest-7.1.2, pluggy-1.0.0
rootdir: /home/tkloczko/rpmbuild/BUILD/python-sshpubkeys-3.3.1
plugins: subtests-0.7.0, timeout-2.1.0
collected 0 items

=================================================================== no tests ran in 0.07s ====================================================================

SSHKey() raises MalformedDataException for the following key:

ssh-dss AAAAB3NzaC1kc3MAAACBAJKa9kgpSUBLgPwgkRvYDayXIjigt36VZShchgKSNxjOXfuJpNP7BUZFJSqE1ZKvMcmMKah2V15a+aV8H5TnFYSUT+aq5BH2lSxx5cHQ/xrSMBobqjxQHQJshrHugnrBmXvhadWHZ8T/kV0agddRTuC/nY28RA2OOLFukEc2C/O7AAAAFQDMCEXIHwdtyxv0HDBHhN+N9pzedwAAAIB7zE3EQ8tHvEhoHZ3lc53qMCfow64rv5L0eim6hqC/cwzWHGFk9PXAHgXOZBMB9P2gCdiL1Vydru/6ib3EbzAGR21xhvxlrZQqtJ7jKql0ZbVCqzYijBwJCU2OAvaxjyTZwg5o87h1LqxU9RRFJTJerMCcnEy4X7iIIF2S8TLeswAAAIAxQ9/DLm7l3X438VFgdTKSOrrfgx5q5/sKXgauNTxaYfDEBlmWdFZme3+lB1gR0td9NMxH/ffntXd8ilB+9O8E87+K0Fi7aDWlToVbsvtyK/gLTwzg+qEjeHkbjN7yUltvhzzvLkJN7NodWx4ECNP9Kuxzxq711uoFOiC+pFjJhQ==

but it appears to be valid because ssh-keygen -lf file shows:

1024 ff:eb:5b:a2:31:26:4a:2f:90:60:93:1d:1c:e5:ac:40 file (DSA)

Would it be possible to extract the comment. It is useful as a means to identify a key by name.

A recent issue with dependency ecsda 0.14.0 (tlsfuzzer/python-ecdsa#159) caused fatal errors with sshpubkeys library.

To mitigate this type of issue with dependencies I suggest pinning to specific versions VS minimum versions.
https://github.com/ojarva/python-sshpubkeys/blob/master/setup.py#L35
IE: == operator vs >=

Also, since this is a public project, a service like https://pyup.io/ can be used to continually monitor dependencies.

Thanks -JH

Hi,

as by #21 would be wonderful to handle full parsing of authorized_keys files, including empty and commented-out lines.

I will try to manage in the future a PR, if it will not happens before.

Thanks,
Daniele

Hi,

commented lines gives this error:

Traceback (most recent call last):
[...]
ssh_obj.parse()
File "[...]/sshpubkeys/init.py", line 399, in parse
key_parts = self._split_key(keydata)
File "[...]/sshpubkeys/init.py", line 206, in _split_key
self.options = self.parse_options(self.options_raw)
File "[...]/sshpubkeys/init.py", line 267, in parse_options
parse_add_single_option(opt)
File "[...]/sshpubkeys/init.py", line 240, in parse_add_single_option
raise InvalidOptionNameException("%s is not valid option name." % opt_name)
sshpubkeys.exceptions.InvalidOptionNameException: #ssh-rsa is not valid option name.

Hi,
The key below works, but sshpubkeys certainly doesn't like it. Any suggestions?

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxmlwW50PufyAgHkLehNP4xHnSumqnfrKtW9fIzw2TLP8zfOCyUZFqCfXhegtV22a4wqPOJu4KYU6q1QEnWJtQwJiwtmoCBWOd8zi0OpgNEwxMnJfMGircwZPWPL1+wKiYRiXWsujtu8bAfNBFbx2rfKyv4yxhQoZQFrmjsJhWrLx7fCb5Yq7965c4A0YHrAyffx8k+Fh1UrwUfpTtP+Tr7UV2Vq8bYz9SM+1dmO8UTvWjsvizSMJN6sBdH1h7xdAGIrDUTke3UF8Pp/zyLtpUzfHzbbzW7p5oj89P/0WZnTZsIc0c4KHkmn9O8/fsW6qAxijEz2nU/OtH1A3iLJyNw==

Thanks.

Hi,

Thank you for sharing! We're using it to validate our public keys and I hope make our "public-key system management" Open Source soon.

BTW, I believe the new default min size for rsa keys is now 2048 bits. How about upgrade the default min value to 2048 ?

Thank you,

Thanks for this library.

I am creating keys using the SSHKey object providing each bit and pieces from a database.

I would like now generating a line of authorized_keys with this entry, what function should I add to the SSHKey object to serialize it in such a compatible string?

print ssh.hash_md5() output include "MD5: xx:xx......"
openssl -lf key_file no

Are you interested in supporting typing?

If you are interested, I will add type hints.

our current FIPS standard for DSA keys allows for (p,q) pairs of:

L = 1024, N = 160
L = 2048, N = 224
L = 2048, N = 256
L = 3072, N = 256

SSHKeys currently enforces 1024 bits which isn't accurate. The vast majority of SSH keys are created with ssh-keygen which enforces 1024 bits for DSA keys, however, keys are easily made with other software and as long as the math is correct, the key will work with SSH

Before making a PR I just wanted to check that I did not miss anything that supports the editing of the authorized_keys file.

Noticed today that I was not using the latest version of this module, and upon investigation it seems that this is because the last version in PyPI is 3.3.1.

Looks like the CI failed to push version 3.2.0 to PyPI due to an authentication problem ( https://github.com/ojarva/python-sshpubkeys/actions/runs/6868575502/job/18679462685 )- I think it just needs the credential to be updated.

It appears that in py3 there may be an issue with the hash computation. I have not diagnosed fully. This happens when I call ssh.hash_sha256().

...
    'hash': ssh.hash_sha256(),
  File "/usr/local/lib/python3.5/dist-packages/sshpubkeys-3.1.0-py3.5.egg/sshpubkeys/keys.py", line 162, in hash_sha256
    fp_plain = hashlib.sha256(self._decoded_key).digest()
TypeError: object supporting the buffer API required

python-crypto is no longer available in rhel7
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Migration_Planning_Guide/sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-Removed_Packages.html

Supported alternative would be very appreciated.
m2crypto seems supported on python2 from at least debian/ubuntu and centos/rhel.

Thanks,

My authorized keyfile looks like:

command="/app/gitea/gogs serv key-1 --config='/data/gitea/conf/app.ini'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUH93fkttfAkc+Z8z2X5EhJ9dIujEv6Bj4JY/YYoI+1BEoSC31eH5mxLP4lUphAFnK39jFrIOR0DUvMuOp+cEI2Mwne1FJS3UTEkIk3Fo3RFwZwIu427KM5G1ZnUi/8+TWA17DxKMP1zctIfJXEZOz0foSPKTJGWr2ZxnTkDquiHXeCH6Hda9LWieyjfIUh8R6ioJ6bE5tLjudRQrs3jpHaMPh2y/Qxv1x2lKB+598zz3rpCGZdzARisOBS+/kvV2V9nrukcDuVHO91VzdqM/U2lF0yo5+/L07o08ULtvxmJsNa3aYjLPcJ5r6bDPBb/OI7VsqUTrW5XqxPTclrxN5

and when I put the contents of it into key_file = AuthorizedKeysFile(...) I get the following error:
sshpubkeys.exceptions.MalformedDataError: Couldn't find beginning of the key data
I've tried various different options for disallow_options=, skip_option_parsing= and strict=, however all still result in the same error.

It would be helpful to also be able to write the contents of an AuthorizedKeysFile instance out to disk, in addition to parsing authorized_keys. This probably wouldn't involve too much refactoring of the class.

http://ed25519.cr.yp.to/software.html
http://ed25519.cr.yp.to/ed25519-20110926.pdf

authorized_keys files allow tabs as separators, backslash-escaped double quotes in option values and require double quotes around option values.

These cases are not treated correctly by sshpubkeys.AuthorizedKeysFile. See attached example file for test cases.
ak.txt

openssh 8.2 introduced two new key formats for use with U2F/FIDO2 security keys. It would be quite nice to have support for these key types in sshpubkeys.

Their formats are described in PROTOCOL.u2f:

The format of a [email protected] public key is:

	string		"[email protected]"
	string		curve name
	ec_point	Q
	string		application (user-specified, but typically "ssh:")

The format of a [email protected] public key is:

	string		"[email protected]"
	string		public key
	string		application (user-specified, but typically "ssh:")

I believe that these key formats are the same as the non sk- prefixed versions, except with the addition of an "application" string, so they should be fairly easy to support.

The following code (shown as example in the readme) will not run

AuthorizedKeysFile("""ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGODBKRjsFB/1v3pDRGpA6xR+QpOJg9vat0brlbUNDD\n"""
           """#This is a comment\n\n"""
           """ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF9QpvUneTvt8"""
           """lu0ePSuzr7iLE9ZMPu2DFTmqh7BVn89IHuQ5dfg9pArxfHZWgu9lMdlOykVx0I6OXkE35A/mFqwwApyiPmiwno"""
           """jmRnN//pApl6QQFINHzV/PGOSi599F1Y2tHQwcdb44CPOhkUmHtC9wKazSvw/ivbxNjcMzhhHsWGnA=="""
           strict=True, disallow_options=True)

It seems that method AuthorizedKeysFile() requires a list of strings as input and not a string.
Also a comma is missing after the last """

Hello,

when I do

from sshpubkeys import SSHKey
test = "ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAQDPWKPR4XKgibQQixw25NIl8+zVKIWf9NabGjALfXDTjH4amm3Vc5enkqnwAnGPf5NjDlwghBR+L1N9D4v4x8m4iQxM7ic+crPFvO4eqt04RXHIObkM3cfzgrt8bGjdGfAmcvfQw482+8qtxWQGoIwr+4WCi2lZwfoRG/R3522eeNw3C1VhUpOn4swrBCVU7PkJjFLmNWlA+TirqeCeuSIadosgWDtr3JxshI7op8w4xkvqpKWIV1qX+SN/xg8lY8zkN+l8DwvxM87SP/jlginwi9RyWjNA2FTqOS24LrY4crorBkwRXnX0cX3G0Vl8YH70x0ZwtWL4xYU48WyVzzax7n3Wa1rsnrMD+Yngxdl8+N7tCD1cLWPqsiB5ZW6p3SedcaIF/jtWtpwfJmaWM+udsdwx8l1emxtibnxxx/3z5qslrDVe6NDG1D060puTLbGPoA98WlTdaQkTt/66OJnob/NgWprN9qUoGat6kVd81pDpodQ+fYyf+cAo/NzWSyo0UVXNR+Zq8pgUCrRb7leaC1pAd8QNJqG28bTaVTURwFjdE6yBpUi+FnHUKwl3KjoyIVnAMXrVJOwQxL0sUf3YMrUyUjDmwpGoUFQr7CkwDcFTARfeSjFf1it8a6M8dPrUHo8CBBPLPJz7NK8PDZclIgtpD5/50BIKR488TybypQ=="
SSHKey(test)

I get the following error:

Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "/.../venv/lib/python3.7/site-packages/sshpubkeys/keys.py", line 132, in __init__
    self.parse(keydata)
  File "/.../venv/lib/python3.7/site-packages/sshpubkeys/keys.py", line 428, in parse
    print(unpacked_key_type.decode(encoding="ascii", errors="ignore"))
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x83 in position 0: invalid start byte

To me the key looks fine and I wasn't able to figure out what exactly is causing the issue.

Python 3.7.0 and 3.6.4
sshpubkeys 3.1.0

GHSA-pwfw-mgfj-7g3g

I guess you might not think it a bug at all: SSHKey() throws an exception (Unable to decode the key), when fed with a line that contains authorized_keys data (options followed by key type, key data and comment).

Would you accept a patch/PR with an implementation of such feature?

I would expect this key to work in non-strict mode. It looks like the error comes from a check in the cryptography library. Maybe this was working in earlier versions of cryptography?

from sshpubkeys import SSHKey
short_dss_key = 'ssh-dss AAAAB3NzaC1kc3MAAACAd+4e5gmIwRZ6ndOdZ6tYFjQUw6bvNhvxooYiPYkygvalV0HPiC80bHZ90p0xnG8h' \
                'bzbC1fSK2V8dqtSou11VFXpffKsvtTW4gFv8W/DfOU34pU/RShHWhWQwidvyxAmwbhX5pGey6lmN+EBaDq9C/zAxB559' \
                '7ABTQtWRKnIlEUcAAAAVALGWA77DZ+oYthZyeAlHtvuTdnvHAAAAgEGg/LZkUXf0V7MGNWpYTXky19l3QgoNMj8KjDcx' \
                'vPXAMBqZte2nuDueD6V4buz7TdbsrtRfW0r8NzqmsvOOdIagb78U7pzFJcgDdUFCM0X32j0FAWOM9khipAr/ZJcZLapr' \
                'aRfKAlUzLPhsL9GpQrfTKqeTb1U18xE6lUQztfiNAAAAgBMV/Jwk5Jx5zzXvINesaO0+jCmhjZNM8FTkiHi+jQmmbNl3' \
                'NMHoG54pXK0i9e/6VLO/d7elJHZWyLyNi5kGn1UimWQIOR4CPJYuOs/PlrdrKiAY+HIzLtQZ0OO9vGkTISvc+P8KWcSt' \
                'OlFAvu7DiQ3cWxQqcDZ/VPl7LpFXSGOU foo'
SSHKey(short_dss_key, strict=False, disallow_options=False, skip_option_parsing=True)

Traceback (most recent call last):
  File "/home/ben/Development/project/hypernodedb/tests/models/test_ssh_key.py", line 48, in test_ssh_key_properties_return_an_empty_string_when_public_key_is_invalid
    SSHPubKey(short_dss_key, strict=False, disallow_options=False, skip_option_parsing=True)
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/sshpubkeys/keys.py", line 132, in __init__
    self.parse(keydata)
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/sshpubkeys/keys.py", line 433, in parse
    key_data_length = self._process_key(self._decoded_key[current_position:])
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/sshpubkeys/keys.py", line 389, in _process_key
    return self._process_ssh_dss(data)
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/sshpubkeys/keys.py", line 344, in _process_ssh_dss
    self.dsa = DSAPublicNumbers(data_fields["y"], dsa_parameters).public_key(default_backend())
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 206, in public_key
    return backend.load_dsa_public_numbers(self)
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 615, in load_dsa_public_numbers
    dsa._check_dsa_parameters(numbers.parameter_numbers)
  File "/home/ben/Development/project/env/lib64/python3.4/site-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 132, in _check_dsa_parameters
    raise ValueError("p must be exactly 1024, 2048, or 3072 bits long")
ValueError: p must be exactly 1024, 2048, or 3072 bits long

Library versions:

cryptography==2.3.1
sshpubkeys==3.1.0

Do you have an idea on a workaround for this?

Is this function name intentional?

Hi,
Thanks for the wonderful project.

I wonder why the project has sshpubkeys has pycrypto as dependent requirement and not pycryptodome . The former does not seem to be maintained anymore.

I am using this simple function, which works from a terminal, but it doesn't work from Django:

def validate_ssh_public_key(key_string):
    """validate ssh public key"""
    try:
        ssh = SSHKey(key_string)
    except Exception as err:
        print("Error running SSHKey:", err)
        return False

    try:
        ssh.parse()
        return True
    except Exception as err:
        print("Error running ssh.parse():", err)
        return False

and I get this error:

Error running SSHKey: _SSHCipher() takes no arguments

Hello, it appears your recent release is incompatible with python 2.7, however it is possible to install using pip2. Can you either fix this incompatibility or disallow installation on python 2.7 using python_requires?

Steps to reproduce:

pip2 install sshpubkeys==3.2.0
python2
import sshpubkeys

Python 2.7.16 (default, Jul 10 2019, 03:39:20)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sshpubkeys
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/sshpubkeys/__init__.py", line 2, in <module>
    from .keys import *  # pylint:disable=wildcard-import
  File "/usr/local/lib/python2.7/site-packages/sshpubkeys/keys.py", line 176
    raise MalformedDataError("Unable to unpack %s bytes from the data" % self.INT_LEN) from ex
                                                                                          ^
SyntaxError: invalid syntax

Using the latest version I am having a problem using the parse function that was working under python2 previously.

  File "/opt/ssh_key_deploy.py", line 321, in <module>
    main()
  File "/opt/ssh_key_deploy.py", line 316, in main
    key_deploy.get_ssh_keys()
  File "/opt/ssh_key_deploy.py", line 191, in get_ssh_keys
    ssh.parse()
  File "/usr/local/lib/python3.9/site-packages/sshpubkeys/keys.py", line 457, in parse
    if keydata.startswith("---- BEGIN SSH2 PUBLIC KEY ----"):
TypeError: startswith first arg must be bytes or a tuple of bytes, not str

Do you have any thoughts or assistance?