Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ED25519 key files cannot be loaded on Windows #285

Open
GaryA50 opened this issue Mar 5, 2021 · 11 comments
Open

ED25519 key files cannot be loaded on Windows #285

GaryA50 opened this issue Mar 5, 2021 · 11 comments
Labels
bug

Comments

@GaryA50
Copy link

GaryA50 commented Mar 5, 2021

Describe the bug
ED25519 key pairs don't work to connect to ubuntu server

To Reproduce

from pssh.clients import SSHClient
import sys
import traceback

class SSHComm():
    def __init__(self):
        try:
            self.client = SSHClient("192.168.0.201", user="ubuntu", 
			pkey="c:\\Users\\Admin\\.ssh\\piubuntu_ed25519", timeout=5, 
			allow_agent=False)
        except: 
            print("Server connection", sys.exc_info())

Expected behavior
The key pair should authenticate to allow communications.

Actual behaviour
The code fails with AuthenticationError.

Additional information
System: parallel-ssh v2.5.4, Win 10 Pro v10.0.19401, Microsoft openssh v7.7.2.1, Python v3.8.6, Ubuntu-server 20.04

The ED25519 key pair was created using ssh-keygen -t ED25519.

The key pair also fails when pkey is deleted and allow_agent=True

However, the same ED25519 key pair is used successfully to make a connection to the server using cli and ssh agent.

The same result occurred with a second ED25519 key pair.

If an rsa key pair is used instead, the code above works as expected after pkey is changed to the name of the rsa key.
@pkittenis
Copy link
Member

Hello,

Thanks for the interest and report. Have used ED25519 keys many times myself with no issues.

Can you enable debug logging and post the complete output of the above code?

from pssh.utils import enable_debug_logger

enable_debug_logger()
<code>

@GaryA50
Copy link
Author

GaryA50 commented Mar 8, 2021

There are three blocks below. The first shows the output from enable_debug_logger. The second shows the output from the print() in my code. The third shows the successful authentication from the command line without entry of password. Note that Welcome to Ubuntu was shown three times after the first login from the command line, but only once the second time. I'm wondering if that is a result of the three unsuccessful authentications by parallel-ssh.

Connecting to 192.168.0.201:22
Proceeding with private key file authentication
Proceeding with private key file authentication
Proceeding with private key file authentication

Server connection (<class 'pssh.exceptions.AuthenticationError'>, AuthenticationError('Authentication error while connecting to %s:%s - %s', '192.168.0.201', 22, FileError()), <traceback object at 0x0000014BD4943D80>)

PS C:\Windows\System32> ssh ubuntu@192.168.0.201
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

System information as of Mon Mar 8 20:58:26 UTC 2021

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

System information as of Mon Mar 8 20:58:26 UTC 2021

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

System information as of Mon Mar 8 20:58:26 UTC 2021

System load: 1.29 Temperature: 31.2 C
Usage of /: 2.6% of 109.78GB Processes: 146
Memory usage: 8% Users logged in: 0
Swap usage: 0% IPv4 address for eth0: 192.168.0.201

ubuntu@ubuntu:~$ logout
Connection to 192.168.0.201 closed.
PS C:\Windows\System32> ssh ubuntu@192.168.0.201
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

System information as of Mon Mar 8 21:04:25 UTC 2021

System load: 1.0 Temperature: 37.0 C
Usage of /: 2.6% of 109.78GB Processes: 140
Memory usage: 8% Users logged in: 0
Swap usage: 0% IPv4 address for eth0: 192.168.0.201

Last login: Mon Mar 8 20:58:28 2021 from 192.168.0.113
ubuntu@ubuntu:~$

@pkittenis
Copy link
Member

pkittenis commented Mar 9, 2021
edited

Can you show output of ssh -v ubuntu@192.168.0.201 -i <key file>. FileError means the private key file provided could not be loaded.

@GaryA50
Copy link
Author

GaryA50 commented Mar 9, 2021
edited by pkittenis

To get single \ in path to file on first line in Github Preview tab, I had to use \\ on the Github Write tab. Also, all the \\ on the Preview tab were \\\\ on the write tab and were copied directly from powershell.

PS C:\Windows\System32> ssh -v ubuntu@192.168.0.201 -i c:\\Users\\Admin\\.ssh\\piubuntu_ed25519
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Connecting to 192.168.0.201 [192.168.0.201] port 22.
debug1: Connection established.
debug1: identity file c:\\\\Users\\\\Admin\\\\.ssh\\\\piubuntu_ed25519 type 3
debug1: key_load_public: No such file or directory
debug1: identity file c:\\\\Users\\\\Admin\\\\.ssh\\\\piubuntu_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.201:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7AWqFUm+6tRdfO31h3IeoYlYEba/LBddhUpipUjCT3k
debug1: Host '192.168.0.201' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\Admin/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:/dwUGC1CQ11uZRDemY0tszAeUXwoy30E8TWLl7Amod4 c:\\\\Users\\\\Admin\\\\.ssh\\\\piubuntu_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.0.201 ([192.168.0.201]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1029-raspi aarch64)

@pkittenis
Copy link
Member

pkittenis commented Mar 10, 2021
edited

Best to try generating the key on linux instead of windows - have used such keys on windows clients successfully. It looks like libssh2 might not be able to read windows generated key files.

If you can attach a new key generated on windows here - one you are not using - that would be helpful to debug with.

Also, can surround text blocks with ``` in order to stop github formatting it.

@GaryA50
Copy link
Author

GaryA50 commented Mar 11, 2021

I generated a new ED25519 key in Ubuntu 20.04 and tested on Windows SSH client without success. Then, I tested that key as well as a Windows generated key in Ubuntu SSH client and they both worked perfectly. Did you use Microsoft OpenSSH in Windows?

Attached is a key generated on Windows.
Test key.zip

@pkittenis
Copy link
Member

pkittenis commented Mar 11, 2021
edited

new ED25519 key in Ubuntu 20.04 and tested on Windows SSH client without success

Have never used Window's ssh tools. OpenSSH generated keys on linux work on windows clients, by clients meaning this library, not window's openssh tools.

The windows tools are supposed to be openssh so a key generated on linux openssh not working on windows openssh sounds like an openssh issue.

@pkittenis pkittenis changed the title Cannot Authenticate Using ED25519 Keys Windows generated ED25519 key file cannot be loaded Mar 11, 2021
@GaryA50
Copy link
Author

GaryA50 commented Mar 11, 2021

I see that my terminology was not correct in our last exchange. I'll rephrase.
It does not matter whether the ED25519 key is created in linux or windows. It works in parallel-ssh in linux, but does not work in parallel-ssh in windows.

Also, if the ED25519 file is replaced by an rsa file, it works in parallel-ssh in both OS. Password works, too.

Here is stripped down code I used to test in both OS.

from pssh.clients import SSHClient
import sys
import traceback
from pssh.utils import enable_debug_logger

class SSHComm():
    def __init__(self):
        enable_debug_logger()
        try:
            # Ubuntu-server, ethernet, passing private key from windows
            self.client = SSHClient("192.168.0.201", user="ubuntu", 
                timeout=5, pkey="c:\\Users\\Admin\\.ssh\\piubuntu2_ed25519",
                allow_agent=False)
            # Ubuntu-server, ethernet, passing private key from ubuntu
            # self.client = SSHClient("192.168.0.201", user="ubuntu", 
            #     pkey="~/.ssh/piubuntu2_ed25519", timeout=5, 
            #     allow_agent=False)
        except: print("Server connection", sys.exc_info())


print("Initializing SSHComm()")
SSHComm()
print("Finished with initialization")

Aside from this issue, which I can work around, parallel-ssh is performing well for me. Thanks for your work.

@pkittenis
Copy link
Member

Have used ED25519 and ECDSA keys with parallel-ssh on windows, yes. Let me confirm they work with latest version as well.

The only instance I've seen of them not working on Windows is from self-built ssh2-python that uses WinCNG instead of OpenSSL for a crypto back-end. Those key types are only supported with OpenSSL.

If parallel-ssh was installed via pip, it has installed a binary wheel of ssh2-python with OpenSSL included. If self-building.. my only suggestion is don't.

@GaryA50
Copy link
Author

GaryA50 commented Mar 21, 2021

Testing has been done using two configurations, both including parallel-ssh installed with pip. The first configuration started with a minimal conda environment. The second was on a different computer with python installed directly in windows without use of any environment.

@pkittenis pkittenis changed the title Windows generated ED25519 key file cannot be loaded ED25519 key file cannot be loaded on Windows Mar 25, 2021
@pkittenis
Copy link
Member

Have been able to reproduce - ED25519 keys cannot be loaded on windows. Same key can be loaded on linux.

ECDSA keys work on windows.

It could be an issue with windows wheel builds or a bug with libssh2 - yet to confirm.

@pkittenis pkittenis changed the title ED25519 key file cannot be loaded on Windows ED25519 key files cannot be loaded on Windows Mar 25, 2021
@pkittenis pkittenis mentioned this issue Aug 20, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pkittenis @GaryA50