𝗡𝗼𝘁 𝗮 𝘃𝗮𝗹𝗶𝗱 𝗢𝗣𝗘𝗡𝗦𝗦𝗛 𝗽𝗿𝗶𝘃𝗮𝘁𝗲 𝗸𝗲𝘆 𝗳𝗶𝗹𝗲
You try to automate WordPress maintenance via SSH. You get this error: SSHException: not a valid OPENSSH private key file.
You checked your key file. It looks correct. The problem is not your key. The problem is the library.
Paramiko fails when it meets keys outside the OpenSSH format. Hosting providers and tools produce many different formats. Paramiko often rejects them.
We built a compatibility layer to handle seven different formats:
- OpenSSH new format
- PKCS#1 RSA
- SEC 1 EC
- PKCS#8 plain
- PKCS#8 encrypted
- Legacy PEM encrypted
- PuTTY .ppk (v2 and v3)
Paramiko handles OpenSSH and PKCS#1. It fails on PKCS#8 and .ppk files. For example, Sakura Internet produces ECDSA with PKCS#8. Paramiko rejects this immediately.
Our solution uses a detect, normalize, and hand-off approach.
- Detect: The system looks at the first bytes and PEM headers to find the format.
- Normalize: We use the cryptography library to read the key. We then rewrite it as an OpenSSH-compatible PEM.
- Hand-off: Paramiko receives the key. To Paramiko, it always looks like the standard OpenSSH format.
We wrote a custom parser for PuTTY .ppk files. This keeps the code light. It avoids extra dependencies that increase binary size.
We also fixed the error messages. Vague errors cause support tickets. We now provide three pieces of data when a failure happens:
- What format arrived.
- What formats we accept.
- What you should do next.
A library's limits disappear when you build an absorbing layer in front of it. This layer makes different formats look identical to your application.