I have the following code:
ssh_key = paramiko.RSAKey.from_private_key_file(key_filename)
the key looks like this:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqdgmJ2AQlmvpCsDWjbpIvIrx4AwtKn2t10wmGZIN9pqcJgQpo3HD
and is valid:
$ ssh-keygen -l -f <mykeyfile>
$ 2048 SHA256:x8jlUAObU3q2KXRtuGpxwhnGvB/ZoeD2IUqSA1OkCmI thomas@Thomas-MBP-2017 (RSA)
but I get the the following error:
not a valid RSA private key file
This is on MacOS, Python 2.7, Paramiko 2.4.2
What am I doing wrong?
For OpenSSH 7.8 up, you have to trick it. Run ssh-keygen -p [-f file] -m pem
to purportedly change passphrase, but reuse the old one. Use -P oldpw -N newpw
if you want to avoid the prompts, as in a script, but be careful of making your passphrase visible to other users. As a side effect this rewrites the keyfile (if not ed25519) in 'old' (OpenSSL-compatible and thus paramiko-compatible) format. (If you want to keep the new-format file, copy first.)
For older versions of OpenSSH just do ssh-keygen -p [-f file]
WITHOUT -o
.
Also, if you have (or get) it, the puttygen utility in the PuTTY suite from 0.69 up supports this format. In the Unix version, just do puttygen newfmtfile -O private-openssh -o oldfmtfile
(again excepting ed25519). In the Windows version AFAICT you must use the GUI; load the newfmtfile and do Conversions / Export OpenSSH key .