SSH Agent interface
class paramiko.agent.Agent
Client interface for using private keys from an SSH agent running on the
local machine. If an SSH agent is running, this class can be used to
connect to it and retrieve PKey
objects which can be used when
attempting to authenticate to remote SSH servers.
Upon initialization, a session with the local machine's SSH agent is
opened, if one is running. If no agent is running, initialization will
succeed, but get_keys
will return an empty tuple.
SSHException
--
if an SSH agent is found, but speaks an incompatible protocolclose()
Close the SSH agent connection.
get_keys()
Return the list of keys available through the SSH agent, if any. If no SSH agent was running (or it couldn't be contacted), an empty list will be returned.
AgentKey
objects representing keys available on the
SSH agentclass paramiko.agent.AgentClientProxy(chanRemote)
Class proxying request as a client:
- client ask for a request_forward_agent()
- server creates a proxy and a fake SSH Agent
- server ask for establishing a connection when needed, calling the forward_agent_handler at client side.
- the forward_agent_handler launch a thread for connecting the remote fake agent and the local agent
- Communication occurs ...
close()
Close the current connection and terminate the agent Should be called manually
connect()
Method automatically called by AgentProxyThread.run
.
class paramiko.agent.AgentKey(agent, blob)
Private key held in a local SSH agent. This type of key can be used for authenticating to a remote server (signing). Most other key operations work as expected.
can_sign()
Return True
if this key has the private part necessary for signing
data.
from_private_key(file_obj, password=None)
Create a key object by reading a private key from a file (or file-like)
object. If the private key is encrypted and password
is not
None
, the given password will be used to decrypt the key (otherwise
PasswordRequiredException
is thrown).
- file_obj -- the file-like object to read from
- password (
str
) -- an optional password to use to decrypt the key, if it's encrypted
PKey
based on the given private keyIOError
-- if there was an error reading the keySSHException
-- if the key file is invalidfrom_private_key_file(filename, password=None)
Create a key object by reading a private key file. If the private
key is encrypted and password
is not None
, the given password
will be used to decrypt the key (otherwise PasswordRequiredException
is thrown). Through the magic of Python, this factory method will
exist in all subclasses of PKey (such as RSAKey
or DSSKey
), but
is useless on the abstract PKey class.
PKey
based on the given private keyIOError
-- if there was an error reading the fileSSHException
-- if the key file is invalidget_base64()
Return a base64 string containing the public part of this key. Nothing secret is revealed. This format is compatible with that used to store public key files or recognized host keys.
string
containing the public part of the key.get_bits()
Return the number of significant bits in this key. This is useful for judging the relative security of a key.
int
)get_fingerprint()
Return an MD5 fingerprint of the public part of this key. Nothing secret is revealed.
string
(binary) of the MD5 fingerprint, in SSH
format.load_certificate(value)
Supplement the private key contents with data loaded from an OpenSSH
public key (.pub
) or certificate (-cert.pub
) file, a string
containing such a file, or a Message
object.
The .pub contents adds no real value, since the private key file includes sufficient information to derive the public key info. For certificates, however, this can be used on the client side to offer authentication requests to the server based on certificate instead of raw public key.
See: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
Note: very little effort is made to validate the certificate contents, that is for the server to decide if it is good enough to authenticate successfully.
verify_ssh_sig(data, msg)
Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key.
write_private_key(file_obj, password=None)
Write private key contents into a file (or file-like) object. If the
password is not None
, the key is encrypted before writing.
- file_obj -- the file-like object to write into
- password (
str
) -- an optional password to use to encrypt the key
IOError
-- if there was an error writing to the fileSSHException
-- if the key is invalidwrite_private_key_file(filename, password=None)
Write private key contents into a file. If the password is not
None
, the key is encrypted before writing.
IOError
-- if there was an error writing the fileSSHException
-- if the key is invalidclass paramiko.agent.AgentLocalProxy(agent)
Class to be used when wanting to ask a local SSH Agent being asked from a remote fake agent (so use a unix socket for ex.)
daemon
A boolean value indicating whether this thread is a daemon thread (True) or not (False).
This must be set before start() is called, otherwise RuntimeError is raised. Its initial value is inherited from the creating thread; the main thread is not a daemon thread and therefore all threads created in the main thread default to daemon = False.
The entire Python program exits when no alive non-daemon threads are left.
get_connection()
Return a pair of socket object and string address.
May block!
ident
Thread identifier of this thread or None if it has not been started.
This is a nonzero integer. See the thread.get_ident() function. Thread identifiers may be recycled when a thread exits and another thread is created. The identifier is available even after the thread has exited.
isAlive()
Return whether the thread is alive.
This method returns True just before the run() method starts until just after the run() method terminates. The module function enumerate() returns a list of all alive threads.
is_alive()
Return whether the thread is alive.
This method returns True just before the run() method starts until just after the run() method terminates. The module function enumerate() returns a list of all alive threads.
join(timeout=None)
Wait until the thread terminates.
This blocks the calling thread until the thread whose join() method is called terminates -- either normally or through an unhandled exception or until the optional timeout occurs.
When the timeout argument is present and not None, it should be a floating point number specifying a timeout for the operation in seconds (or fractions thereof). As join() always returns None, you must call isAlive() after join() to decide whether a timeout happened -- if the thread is still alive, the join() call timed out.
When the timeout argument is not present or None, the operation will block until the thread terminates.
A thread can be join()ed many times.
join() raises a RuntimeError if an attempt is made to join the current thread as that would cause a deadlock. It is also an error to join() a thread before it has been started and attempts to do so raises the same exception.
name
A string used for identification purposes only.
It has no semantics. Multiple threads may be given the same name. The initial name is set by the constructor.
start()
Start the thread's activity.
It must be called at most once per thread object. It arranges for the object's run() method to be invoked in a separate thread of control.
This method will raise a RuntimeError if called more than once on the same thread object.
class paramiko.agent.AgentProxyThread(agent)
Class in charge of communication between two channels.
daemon
A boolean value indicating whether this thread is a daemon thread (True) or not (False).
This must be set before start() is called, otherwise RuntimeError is raised. Its initial value is inherited from the creating thread; the main thread is not a daemon thread and therefore all threads created in the main thread default to daemon = False.
The entire Python program exits when no alive non-daemon threads are left.
ident
Thread identifier of this thread or None if it has not been started.
This is a nonzero integer. See the thread.get_ident() function. Thread identifiers may be recycled when a thread exits and another thread is created. The identifier is available even after the thread has exited.
isAlive()
Return whether the thread is alive.
This method returns True just before the run() method starts until just after the run() method terminates. The module function enumerate() returns a list of all alive threads.
is_alive()
Return whether the thread is alive.
This method returns True just before the run() method starts until just after the run() method terminates. The module function enumerate() returns a list of all alive threads.
join(timeout=None)
Wait until the thread terminates.
This blocks the calling thread until the thread whose join() method is called terminates -- either normally or through an unhandled exception or until the optional timeout occurs.
When the timeout argument is present and not None, it should be a floating point number specifying a timeout for the operation in seconds (or fractions thereof). As join() always returns None, you must call isAlive() after join() to decide whether a timeout happened -- if the thread is still alive, the join() call timed out.
When the timeout argument is not present or None, the operation will block until the thread terminates.
A thread can be join()ed many times.
join() raises a RuntimeError if an attempt is made to join the current thread as that would cause a deadlock. It is also an error to join() a thread before it has been started and attempts to do so raises the same exception.
name
A string used for identification purposes only.
It has no semantics. Multiple threads may be given the same name. The initial name is set by the constructor.
start()
Start the thread's activity.
It must be called at most once per thread object. It arranges for the object's run() method to be invoked in a separate thread of control.
This method will raise a RuntimeError if called more than once on the same thread object.
class paramiko.agent.AgentRemoteProxy(agent, chan)
Class to be used when wanting to ask a remote SSH Agent
daemon
A boolean value indicating whether this thread is a daemon thread (True) or not (False).
This must be set before start() is called, otherwise RuntimeError is raised. Its initial value is inherited from the creating thread; the main thread is not a daemon thread and therefore all threads created in the main thread default to daemon = False.
The entire Python program exits when no alive non-daemon threads are left.
ident
Thread identifier of this thread or None if it has not been started.
This is a nonzero integer. See the thread.get_ident() function. Thread identifiers may be recycled when a thread exits and another thread is created. The identifier is available even after the thread has exited.
isAlive()
Return whether the thread is alive.
This method returns True just before the run() method starts until just after the run() method terminates. The module function enumerate() returns a list of all alive threads.
is_alive()
Return whether the thread is alive.
This method returns True just before the run() method starts until just after the run() method terminates. The module function enumerate() returns a list of all alive threads.
join(timeout=None)
Wait until the thread terminates.
This blocks the calling thread until the thread whose join() method is called terminates -- either normally or through an unhandled exception or until the optional timeout occurs.
When the timeout argument is present and not None, it should be a floating point number specifying a timeout for the operation in seconds (or fractions thereof). As join() always returns None, you must call isAlive() after join() to decide whether a timeout happened -- if the thread is still alive, the join() call timed out.
When the timeout argument is not present or None, the operation will block until the thread terminates.
A thread can be join()ed many times.
join() raises a RuntimeError if an attempt is made to join the current thread as that would cause a deadlock. It is also an error to join() a thread before it has been started and attempts to do so raises the same exception.
name
A string used for identification purposes only.
It has no semantics. Multiple threads may be given the same name. The initial name is set by the constructor.
start()
Start the thread's activity.
It must be called at most once per thread object. It arranges for the object's run() method to be invoked in a separate thread of control.
This method will raise a RuntimeError if called more than once on the same thread object.
class paramiko.agent.AgentRequestHandler(chanClient)
Primary/default implementation of SSH agent forwarding functionality.
Simply instantiate this class, handing it a live command-executing session object, and it will handle forwarding any local SSH agent processes it finds.
For example:
# Connect
client = SSHClient()
client.connect(host, port, username)
# Obtain session
session = client.get_transport().open_session()
# Forward local agent
AgentRequestHandler(session)
# Commands executed after this point will see the forwarded agent on
# the remote end.
session.exec_command("git clone https://my.git.repository/")
class paramiko.agent.AgentServerProxy(t)
Transport
) -- Transport used for SSH Agent communication forwardingSSHException
-- mostly if we lost the agentclose()
Terminate the agent, clean the files, close connections Should be called manually
get_env()
Helper for the environnement under unix
SSH_AUTH_SOCK
environnement variablesget_keys()
Return the list of keys available through the SSH agent, if any. If no SSH agent was running (or it couldn't be contacted), an empty list will be returned.
AgentKey
objects representing keys available on the
SSH agent