paramiko.ssh_exception.SSHException: encountered RSA key, expected OPENSSH key

[bse-sja]

Providing key file name to client.connect
Key file starts with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----
Code works fine under linux but on windows I get:
paramiko.ssh_exception.SSHException: encountered RSA key, expected OPENSSH key

python3.8 on windows. python3.6 on linux.
Windows deps:
paramiko==2.7.1

• bcrypt [required: >=3.1.3, installed: 3.1.7]
  • cffi [required: >=1.1, installed: 1.13.2]
    • pycparser [required: Any, installed: 2.19]
  • six [required: >=1.4.1, installed: 1.14.0]
• cryptography [required: >=2.5, installed: 2.8]
  • cffi [required: >=1.8,!=1.11.3, installed: 1.13.2]
    • pycparser [required: Any, installed: 2.19]
  • six [required: >=1.4.1, installed: 1.14.0]
• pynacl [required: >=1.0.1, installed: 1.3.0]
  • cffi [required: >=1.4.1, installed: 1.13.2]
    • pycparser [required: Any, installed: 2.19]
  • six [required: Any, installed: 1.14.0]

Linux deps:
paramiko==2.7.1

• bcrypt [required: >=3.1.3, installed: 3.1.7]
  • cffi [required: >=1.1, installed: 1.12.3]
    • pycparser [required: Any, installed: 2.19]
  • six [required: >=1.4.1, installed: 1.12.0]
• cryptography [required: >=2.5, installed: 2.7]
  • asn1crypto [required: >=0.21.0, installed: 0.24.0]
  • cffi [required: >=1.8,!=1.11.3, installed: 1.12.3]
    • pycparser [required: Any, installed: 2.19]
  • six [required: >=1.4.1, installed: 1.12.0]
• pynacl [required: >=1.0.1, installed: 1.1.2]

[ploxiln]

That is a misleading exception, due to this logic in the client:

https://github.com/paramiko/paramiko/blob/2.7.1/paramiko/client.py#L674

It tries to load the keyfile with each key type, and if there is some error/exception it continues on to the next key type, but it also saves the last exception encountered. So loading your RSA key as an RSAKey had some error, and after that it tried ECDSAKey, and then Ed25519Key, and that error that was printed is from when your RSA keyfile was loaded as an Ed25519Key.

You can try running RSAKey.from_private_key_file("path/to/your/keyfile") to see what the problem with loading it as an RSAKey is.

I also notice that the version of cryptography installed is different, you could try getting both windows and linux on the same version of cryptography, just as an experiment to narrow-down the issue.

[guyskk]

I see this exception when the public key not in the server user's authorized keys (so login failed), it's a very misleading exception.

[Micsi]

It can also happen if the key has a passphrase set and the phrase is not in your ssh-agent.

Very misleading indeed ;-)

[gormux]

I happens also simply if you have an authentication error.
I got this exact problem when I forgot to change the username that connects to a server in the paramiko configuration (it used the local username, and not anymore).

So yeah, very misleading.

[andrew-lee-1089]

I hit this today, and yeah, it's irritating.

I wonder if we can fix this by being careful in client.py about not necessarily setting saved_exception to the last exception it hit. To be honest, what is really required is adding much more granular Exception classes. Or perhaps some way to compare exceptions for their relative importance.

[doguz2509]

I got this error with Ubuntu14 on AWS (kernel: 3.13.0-74-generic)
I cannot login into vm with paramiko, but I must use it
Are some workaround available?

[anto155]

While using rsa key in pem format, ssh hook/paramiko seem to expect ed25519 type of key as highlighted. rsa keys were working fine earlier and started having issue from last few months. Is there something recently changed? I am using version SSH-2.0-paramiko_2.9.1

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/airflow/models/taskinstance.py", line 984, in _run_raw_task
result = task_copy.execute(context=context)
File "/usr/local/lib/python3.7/site-packages/airflow/contrib/operators/s3_to_sftp_operator.py", line 81, in execute
sftp_client = ssh_hook.get_conn().open_sftp()
File "/usr/local/lib/python3.7/site-packages/airflow/contrib/hooks/ssh_hook.py", line 194, in get_conn
client.connect(**connect_kwargs)
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/client.py", line 446, in connect
passphrase,
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/client.py", line 766, in _auth
raise saved_exception
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/client.py", line 679, in _auth
key_filename, pkey_class, passphrase
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/client.py", line 588, in _key_from_filepath
key = klass.from_private_key_file(key_path, password)
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/pkey.py", line 249, in from_private_key_file
key = cls(filename=filename, password=password)
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/ed25519key.py", line 58, in init
pkformat, data = self._read_private_key("OPENSSH", f)
File "/usr/local/airflow/.local/lib/python3.7/site-packages/paramiko/pkey.py", line 355, in _read_private_key
"encountered {} key, expected {} key".format(keytype, tag)
paramiko.ssh_exception.SSHException: encountered RSA key, expected OPENSSH key

[mewa]

I tested this and this behaviour was introduced in paramiko 2.9.0. A key that works fine on 2.8.1 fails on 2.9.0.

[MichaelKueller]

I'm running into the same issue. I can confirm that it worked with 2.8.1 but started failing when upgrading to 2.9.0

[bitprophet]

Those of you having "this error" on 2.9 in particular, are likely hitting issues with RSA2 key handshaking and then (as noted by other commenters) encountering the overall problem of #387 re: the auth logic presenting misleading final errors.

If you haven't yet, please check the changelog re: the possible need to supply disabled_algorithms, and also make sure you've tried the 2.10.x line as this adds some bugfixes to the RSA2 feature area (eg for OpenSSH<7.8 targets).

[QGB]

SSHException('encountered EC key, expected OPENSSH key')

[ranjithreddyn9]

I'm getting the same (encountered RSA key, expected OPENSSH key) error while creating and testing SSH/SFTP connection profile to AIX server from Airflow web portal.

[sdarwin]

Hi, I just hit the error

paramiko.ssh_exception.SSHException: encountered RSA key, expected OPENSSH key

Could the source code be enhanced to be more verbose when it hits this error? If the answer is that it "seems to expect ed25519 type key", it could probably say that more clearly, about how RSA is deprecated. This is just very terse. "encountered RSA key, expected OPENSSH key".

[bskinn]

@ranjithreddyn9, @sdarwin -- this ticket is closed. Please make sure you have tried the solution indicated by bitprophet.

If that still doesn't work for you, please open new support tickets and include a reference back to this issue.

Thanks!