Using public/private keys for authentication
So far, we have always used a username/password combination to connect to our device. This is not the most secure way, however, and many security policies advocate using public-private key pairs instead of a static password.
In this recipe, you will see how to programmatically open an SSH connection using a password-protected private key.
Getting ready
Open your code editor and start by creating a file called key_file.py. Next, navigate your terminal to the same directory that you just created the key_file.py file in.
You'll also need a password-protected private key for the device/server you are trying to connect to and have the device/server configured to allow or require key-based logins.
How to do it...
Let's start by importing the required libraries, define our new connection details, and finally open up a connection using key-based authentication:
- Import the Paramiko library:
from paramiko.client import SSHClient
- Specify the host and username. You can name these variables however you like. In the Python community, it has become a standard to uppercase these global variables. Instead of the device password, we will now need two new variables – the path to the private key file that we want to use to authenticate and the password for that private key file:
SSH_USER = "<Insert your ssh user here>" SSH_HOST = "<Insert the IP/host of your device/server here>" SSH_PORT = 22 # Change this if your SSH port is different SSH_KEY = "<Insert the name of your private key here>" SSH_KEY_PASSWORD = "<Insert the password here>"
- Create an
SSHClientobject, which we just imported from Paramiko:client = SSHClient()
- While we have created our client object, we have not yet connected to the device. We will use the
connectmethod of the client object to do so. Before actually connecting, we will still need to make sure that our client knows the host keys:client.load_system_host_keys() client.connect(SSH_HOST, port=SSH_PORT, username=SSH_USER, look_for_keys=True, key_filename=SSH_KEY, passphrase=SSH_KEY_PASSWORD)
- As seen before, we can now execute a command once the connection is established:
stdin, stdout, stderr = client.exec_command('<your command>') - Finally, we need to close the connection:
client.close()
- To run this script, go to your terminal and execute it with this:
python3 key_file.py
How it works...
In this example, we use Paramiko's ability to load RSA keys for authentication to avoid using a username/password combination for authentication.
We need to import the same packages we have used before. The difference lies in the parameters that we pass to the connect function. Instead of specifying a password, we specify the name of our ssh key. The library will then, as indicated by setting the look_for_keys flag to true, search common places such as ~/.ssh for keys and match them with the name provided. The passphrase argument is used to provide the passphrase used to decode the private key. If your private key does not have a passphrase, you can omit this argument.
Once the connection is established, we can use the client in the same way as we did before, when dealing with username-password authentication.
There's more...
In the preceding example, we relied on the key file being present in one of the known paths. Sometimes you might want to explicitly specify the path you are loading a key file from. You can do so by, instead of just specifying the filename in the key_filename attribute, specifying the entire path where Paramiko can find your private key.
For example, if your private key is in /home/user/my_keys/id_rsa, you could modify the preceding example like so:
SSH_KEY = "/home/user/my_keys/id_rsa"
If you want to connect to different devices and have multiple keys, one for each device, you can also pass a list of key names or paths to ssh keys to the key_filename attribute:
SSH_KEY = [ "/home/user/my_keys/device_1", "/home/user/my_keys/device_2", "/home/user/my_keys/device_3" ]
Paramiko will then try out all the keys in the provided list for each device you are connecting to.