Welcome to schneider’s documentation (Work in progress)!

schneider is a small package for using multiple SSH keys and SSH agents with frameworks like fabric.


schneider is in active development. There will be bugs and breaking changes.

Why schneider?

Services like GitHub and GitLab require a public SSH key if you want to pull or push code (usually the command line via SSH). Server administrators often use one key for one server, resulting in a whole bunch of keys cramped into an SSH agent. Tools like keychain provide a convenient way to load and hold your keys in a SSH agent so that a simple ssh myserver authenticates without password interaction.

But what happens if you want to use SSH from Python, e.g. via paramiko? If there are only a few keys (three to maybe five) managed by your SSH agent, then there should be no problem; authentication should work without a problem. If you have many keys loaded into the SSH agent, the authentication will probably fail. A quick look into the SSH server’s log file gives a hint: too many authentication failures. The default SSH server configuration allows three authentication failures and then the server closes the connection. But happens here? paramiko uses your SSH agent, so far so good. But then all keys will be tried for authentication! So it may happen that the key we needed for authentication will be never be reached by the agent.

One solution is to raise the number of allowed authentications on the server side, but this will raise the risk of brute force attacks. Another possibility is to restrict the number of keys a single agent manages. This idea was first developed (to my knowledge) by ssh-ident, a tool that tries to minimize the time keys were stored in memory and isolate keys for different use cases (work, home etc.).

ssh-ident wraps the normal ssh command and can create different agents and different sets of keys. The command then runs in a prepared environment that provides the specific SSH_AUTH_SOCK and SSH_AGENT_PID variables according to the use case.


schneider takes this idea of isolating keys and agents and provides two small classes, schneider.agent.SSHAgent and schneider.manager.Manager. The first one handles the creation of an ssh-agent process and adding keys to it, the later can “activate” an instance of SSHAgent to provide the required environment variables for paramiko (or fabric) to connect to a specific server.

What’s that odd name?

schneider is the german word for tailor or dressmaker. schneider was developed because I wanted to use the fabric framework to ease the my daily work as a sysadmin. And fabric is used by tailors to make nice clothes, so…

Indices and Tables

Icon made from Icon Fonts is licensed by CC BY 3.0.