How to add the host's public key file (.pub) to a SFTP connection using Python?

Question

I have written a simple program which connects to the host's SFTP site successfully and can retrieve files.

import pysftp

cnopts = pysftp.CnOpts()
cnopts.hostkeys = None   

srv = pysftp.Connection(host=FTP_SITE, username=DOWNLOAD['USERNAME'], 
                        password=DOWNLOAD['PASSWORD'], cnopts=cnopts)
data = srv.listdir()

file_get = srv.get(get_file, localpath='C:/Users/Me/Desktop/test.csv')

I have not been able to add the host's public key to the SFTP connection though. I have a host public key file in this format:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "Created by Ipswitch WS_FTP Pro"
AAAAB3NzaC1kc3MAAACBAMtINmL43m2CttyjDfHDWNJT9C+ik1OTgJSB5WRpw0G
i0HdYSrJqjUvDQhwCzbt7JRX2V9yCO9xlieUzbkDLSJ7Y8a5g5G4A1FsFEXS1kf
yZuOLBSXxs3+ibTXTMmkAyXq0FzapW6Oka6OvZW1aGfHeBbUADueJnXhyyw1+UL
1uVAAAAFQClKT+RhjhgDGbbLxl1cROQRTaoJwAAAIEAqiAV9hTPrcH6lXBb2GVz
R8TLIchLSOweOme+RK5WqN9sEPgxoo7s3xoXDzv3KJtuPAx7XRvJ/4jdcgbpQLe
1scm9LtczccG/lC583pa7WD9SUbx6mDVe8BbtHfFrp24JIkqaD47iZDYxozi8Ob
As+vny9AcfKgBbjqyTcOYVKkMAAACBALBk3DPcUCxzGXqhgi4fwyv+ze8beyGxv
2uXM1LgLjwdIRcojqZhyziDcUaRXeIlUYVFC/nC+mTItpuveZMj4xZSPyTlfxjl
E36zkbdbSGvNbvO+jP1qupp2fRDWiRSrMr0MBUzFltIocVlcXMXEl/NfEm5h6vu
BWyWQVKtaEPV0
---- END SSH2 PUBLIC KEY ----

Does anyone know the proper method to add the host's public key? I have already checked the documentation for pysftp https://pysftp.readthedocs.io/en/release_0.2.9/ and other tutorials http://www.pythonforbeginners.com/modules-in-python/python-secure-ftp-module with no luck.

---

Edit: I tried the suggestion from Martin Prikryl. I first formatted the key file to the format

sftp.hostsite.com ssh-rsa AAAAB3NzaC1k...m5h6vuBWyWAAAAB3Nz

I then tried modifying the code to:

key_file = 'host_site_key.pub'
cnopts = pysftp.CnOpts()
cnopts.hostkeys.load(path_to_key_file + key_file)
srv = pysftp.Connection(host=SFTP_SITE, username=DOWNLOAD['USERNAME'], 
                    password=DOWNLOAD['PASSWORD'], cnopts=cnopts)

However, I get the following stack trace

SSHException                              Traceback (most recent call last)
<ipython-input-8-52797202ff65> in <module>()
      3 
      4 srv = pysftp.Connection(host=SFTP_SITE, username=DOWNLOAD['USERNAME'], 
----> 5                         password=DOWNLOAD['PASSWORD'], cnopts=cnopts)
      6 data = srv.listdir()

C:\Users\Alex\Anaconda2\lib\site-packages\pysftp\__init__.pyc in __init__(self, host, username, private_key, password, port, private_key_pass, ciphers, log, cnopts, default_path)
    130         # check that we have a hostkey to verify
    131         if self._cnopts.hostkeys is not None:
--> 132             self._tconnect['hostkey'] = self._cnopts.get_hostkey(host)
    133 
    134         self._sftp_live = False

C:\Users\Alex\Anaconda2\lib\site-packages\pysftp\__init__.pyc in get_hostkey(self, host)
     69         kval = self.hostkeys.lookup(host)  # None|{keytype: PKey}
     70         if kval is None:
---> 71             raise SSHException("No hostkey for host %s found." % host)
     72         # return the pkey from the dict
     73         return list(kval.values())[0]

SSHException: No hostkey for host sftp.hostsite.com found.

---

I also tried the second suggestion, where I hard coded the key as a byte string and then loaded it as a RSAkey but still no luck.

key_hardcode_rsa = b'AAAAB3NzaC1k...AAB3Nz'
key = paramiko.RSAKey(data=bytes.decode(key_hardcode_rsa))

SSHException                              Traceback (most recent call last)
<ipython-input-29-f3a4ae42127d> in <module>()
----> 1 key = paramiko.RSAKey(data=bytes.decode(key_hardcode_rsa))

C:\Users\Alex\Anaconda2\lib\site-packages\paramiko\rsakey.pyc in __init__(self, msg, data, filename, password, key, file_obj)
     54                 raise SSHException('Key object may not be empty')
     55             if msg.get_text() != 'ssh-rsa':
---> 56                 raise SSHException('Invalid key')
     57             self.key = rsa.RSAPublicNumbers(
     58                 e=msg.get_mpint(), n=msg.get_mpint()

SSHException: Invalid key

---

I went to the source code of paramiko here https://github.com/enjrolas/lumenToy/tree/master/env/lib/python2.7/site-packages/paramiko.

def __init__(self, msg=None, data=None, filename=None, password=None, vals=None, file_obj=None):
    self.n = None
    self.e = None
    self.d = None
    self.p = None
    self.q = None
    if file_obj is not None:
        self._from_private_key(file_obj, password)
        return
    if filename is not None:
        self._from_private_key_file(filename, password)
        return
    if (msg is None) and (data is not None):
        msg = Message(data)
    if vals is not None:
        self.e, self.n = vals
    else:
        if msg is None:
            raise SSHException('Key object may not be empty')
        if msg.get_text() != 'ssh-rsa':
            raise SSHException('Invalid key')
        self.e = msg.get_mpint()
        self.n = msg.get_mpint()
    self.size = util.bit_length(self.n)

def get_text(self):
    """
    Fetch a string from the stream.  This could be a byte string and may
    contain unprintable characters.  (It's not unheard of for a string to
    contain another byte-stream Message.)
    @return: a string.
    @rtype: string
    """
    return u(self.get_bytes(self.get_int()))

def get_bytes(self, n):
    """
    Return the next ``n`` bytes of the message (as a `str`), without
    decomposing into an int, decoded string, etc.  Just the raw bytes are
    returned. Returns a string of ``n`` zero bytes if there weren't ``n``
    bytes remaining in the message.
    """
    b = self.packet.read(n)
    max_pad_size = 1 << 20  # Limit padding to 1 MB
    if len(b) < n < max_pad_size:
        return b + zero_byte * (n - len(b))
    return b

def get_int(self):
    """
    Fetch an int from the stream.
    @return: a 32-bit unsigned integer.
    @rtype: int
    """
    return struct.unpack('>I', self.get_bytes(4))[0]

So the source code shows msg is an object created from the data parameter, which is the RSA key byte string passed in. How do I format my key so the paramiko.message.get_text function will return 'ssh-rsa'?

Answer 1

See Verify host key with pysftp.

---

In addition to my answer from the above question, you need to know that your key is ssh-dss (DSSKey), not ssh-rsa (RSAKey).

I also do not understand, where you got the ...m5h6vuBWyWAAAAB3Nz from. There's no such sequence in your .pub file.

Your entry should be like:

sftp.hostsite.com ssh-dss AAAAB3NzaC1kc3MAAACBAMtINmL43m2CttyjDfHDWNJT9C+ik1OTgJSB5WRpw0Gi0HdYSrJqjUvDQhwCzbt7JRX2V9yCO9xlieUzbkDLSJ7Y8a5g5G4A1FsFEXS1kfyZuOLBSXxs3+ibTXTMmkAyXq0FzapW6Oka6OvZW1aGfHeBbUADueJnXhyyw1+UL1uVAAAAFQClKT+RhjhgDGbbLxl1cROQRTaoJwAAAIEAqiAV9hTPrcH6lXBb2GVzR8TLIchLSOweOme+RK5WqN9sEPgxoo7s3xoXDzv3KJtuPAx7XRvJ/4jdcgbpQLe1scm9LtczccG/lC583pa7WD9SUbx6mDVe8BbtHfFrp24JIkqaD47iZDYxozi8ObAs+vny9AcfKgBbjqyTcOYVKkMAAACBALBk3DPcUCxzGXqhgi4fwyv+ze8beyGxv2uXM1LgLjwdIRcojqZhyziDcUaRXeIlUYVFC/nC+mTItpuveZMj4xZSPyTlfxjlE36zkbdbSGvNbvO+jP1qupp2fRDWiRSrMr0MBUzFltIocVlcXMXEl/NfEm5h6vuBWyWQVKtaEPV0