[paramiko] how to verify a public key?

Dwayne Litzenberger dwayne at oscl.ca
Thu Apr 17 09:26:03 PDT 2008 

On April 17, 2008 01:10:09 am larry price wrote:
> I want to take a string of text and determine if it is or is not a
> valid (well-formed) dsa or rsa public key and then hash it for
> comparison.
>
> I also want to be able to do elementary repair (stripping whitespace
> and illegal chars out of the text blob) to deal with broken email
> clients or cut and paste strangeness.
[snip]
> I assume that somewhere in the server components you do something that
> looks like parsing an authorized_keys file. Where is that spot?

Paramiko doesn't support OpenSSH's authorized_keys file format directly, 
though the building blocks are there.  I did it (without support for option 
specifications) in 18 lines:

# =============================================
import paramiko
import base64 
 
def get_authorized_keys(file): 
    for rawline in file: 
        line = rawline.strip() 
        if line == "" or line.startswith("#"): 
            continue 
        try: 
            (keytype, b64key, comment) = (line.split(" ", 2) + [''] * 3)[:3] 
            if keytype == 'ssh-rsa': 
                yield paramiko.RSAKey(data=base64.decodestring(b64key)) 
            elif keytype == 'ssh-dss': 
                yield paramiko.DSSKey(data=base64.decodestring(b64key)) 
            else: 
                raise ValueError("Unknown key type %r" % (keytype,)) 
        except ValueError: 
            continue 
# =============================================

As for stripping whitespace, invalid chars, etc, if you can determine whether 
the key is RSA or DSS (which is indicated in plain ASCII in the file, and 
also encoded into the base64 message block), and you can get the 
base64-encoded message block, then Python's base64 decoder will happily skip 
any invalid characters.

Regarding hashing the , once you have a paramiko.RSAKey or paramiko.DSSKey 
object, you can call .get_fingerprint() to get an MD5 hash of the key.  Or, 
if you want a different hash function, you can do something like 
SHA256.new(str(pk)).digest().

-- 
Dwayne Litzenberger, B.A.Sc.
Information Technology Analyst

Open Systems Canada Limited
#210 - 2332 11th Ave
Regina, SK S4P0K1
Office: (306) 359-OSCL (6725)
http://www.oscl.ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://www.lag.net/pipermail/paramiko/attachments/20080417/ca8fe4d8/attachment.pgp

More information about the paramiko mailing list