117

So a while ago I set up a server on AWS, and used their generated SSH key. I saved the key to Lastpass, and have successfully retrieved it from there before, and got it working. However, after trying that again today, I can't get it to work.

-rw------- 1 itsgreg users 1674 Jun 6 12:51 key_name

I've tried ssh -i key_name, ssh-keygen -f key_name, but nothing works, I always get this error message:

Load key "key_name": invalid format

Is there any way to fix this?

Gregor Menih
  • 1,273
  • 2
  • 8
  • 5
  • just noticed something: it should be chmoded 0400 (read-only). It looks like it's not here, since user has the write privilege. – pixeline May 22 '20 at 15:27

31 Answers31

74

Starting openssh 7.6, it defaults to a new more secure format. You can force it to convert to that format using the commands below to change your key password. In case you don't have and/or don't want a password, you can simply press enter and it will still rewrite the key in the new format

ssh-keygen -f ~/.ssh/id_rsa -p
kim0
  • 1,130
  • 7
  • 7
56

I had the same issue, and it turns out I had Windows-style (CRLF) line separators in the file for some reason.

In addition, the file must end with a single LF.

Fixing those made things dandy again.

AKX
  • 663
  • 5
  • 7
47

Check the contents of key_name, if the agent says invalid format, then there's something wrong with the key - like .. are you sure that's the correct key? Even if it's not the private key you need, the ssh agent won't return invalid format if the key is working, you simply won't be able to connect. You might have placed your public key in there, for some reason. Check it!

13dimitar
  • 2,360
  • 1
  • 12
  • 15
  • 23
    Definitely checked. Starts with `----BEGIN RSA PRIVATE KEY-----` and ends with `-----END RSA PRIVATE KEY-----`. Plus it used to work. – Gregor Menih Jun 06 '17 at 12:35
  • 4
    A highly unlikely, but still possible, is that the file is corrupted. Create a new one and populate the contents again from lastpass. – 13dimitar Jun 06 '17 at 12:43
  • 15
    Wow, that actually helped! After generating the new key, I noticed that the new key had 64 characters per line whereas my old key had 76. I reformatted my old key to only have 64 characters per line, then it started working! I was also missing one dash from the first line. – Gregor Menih Jun 06 '17 at 12:57
  • 4
    "I was also missing one dash from the first line." Ditto. Thank you @ItsGreg for that. I miss the first character so often when selecting and copying between terminals! – starfry Nov 30 '18 at 14:30
  • Mine was simply empty ?!?! – gebbissimo Jul 01 '20 at 15:16
  • I recreated a private key in the current format used by my SSH client of a later version than the one which has previously worked: `ssh-keygen -p -f ~/.ssh/id_rsa -N ""` The empty string causes no passphrase to be set. I recommend you make a backup before carrying out the inplace operation in case your mileage varies. – Richard Green Jul 13 '20 at 09:21
  • 24
    I was missing a new line at the end of the file.... – LiMuBei Nov 13 '20 at 14:24
  • 8
    you may only be missing a trailing newline – david.barkhuizen Dec 12 '20 at 16:23
  • 4
    it's almost as if a missing trailing newline shouldn't cause a problem, but it do. hey 99% of software - gfy – Alexander Mills Dec 14 '20 at 20:45
  • I get this error, but connects fine anyways. Both when using keys generated by ssh-keygen, AWS and Azure. – Jeppe Feb 07 '21 at 09:44
32

I fixed this issue in Windows by converting the private key to OpenSSH format using the PuTTY Key Generator.

  1. Start Menu | All apps | PuTTY | PuTTYgen
  2. Load my.ppk
  3. Conversions | Export OpenSSH key
  4. Save my_openssh.ppk

Start Menu, All apps, PuTTY section, PuTTYgen

PuTTYgen, Conversions, Export OpenSSH

Now this works:

ssh -i "my_openssh.ppk" user@example.com

Mac conversion: (thanks @ChrisGillatt)

brew install putty 
puttygen ~/.ssh/my.ppk -O private-openssh -o ~/.ssh/my_openssh.ppk
Bob Stein
  • 992
  • 1
  • 6
  • 9
Ras
  • 421
  • 4
  • 3
  • 1
    Here's how to do this on a Mac Terminal (assuming you have Brew installed): `brew install putty && puttygen ~/.ssh/my-key-name.ppk -O private-openssh -o ~/.ssh/my-key-name` – Chris Gillatt Apr 21 '20 at 11:33
  • @Ras thanks, this made the difference for me too. I hope you like my [revisions to your answer](https://serverfault.com/review/suggested-edits/494146). – Bob Stein Aug 09 '21 at 13:56
25

If you get a warning about an invalid public key format but the command still works then it may be because you only have a private key file and are using OpenSSH 8.3.

OpenSSH 8.3 includes a change to the ssh client where it looks for the private key's corresponding public key file and outputs this load pubkey "/home/user/.ssh/id.rsa": invalid format warning but continues to connect successfully. Tools using ssh, such as scp or git may show key_load_public: invalid format.

The client does not need the public key when connecting, only the private key. So this check is pointless and it has already been removed by an upstream commit but isn't in a relase (yet).

There's a discussion about this on the ArchLinux forum.

starfry
  • 561
  • 1
  • 7
  • 13
  • 6
    Thanks! I was missing the pubkey for my privatekey. No more problem since I generated the public key.: ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub – peyo Sep 28 '20 at 15:11
  • This is exactly the root cause on my side. I am confused about the behavior because I was just copying key from one machine to another machine. Then the warning jumps out and ssh still works. Double check the versions of ssh on Ubuntu 20.04 and 20.10. OpenSSH_8.2p1 on Ubuntu 20.04 without warning while OpenSSH_8.3p1 with warning on Ubuntu 20.10. I am now relieved to see the warning just like somebody says hello to me. Thank you! – krave Mar 09 '21 at 06:10
  • This is the real answer! I had renamed my public key to put the pem in id_rsa.pub, and ssh / git expects it to be the ssh-rsa public key format and not pem. – Kieveli Oct 07 '21 at 13:44
18

In my case, it turned out that I had newlines between the start/end "headers" and the key data:

-----BEGIN RSA PRIVATE KEY-----

- Key data here -

-----END RSA PRIVATE KEY-----

Removing the extra new lines, so it became

-----BEGIN RSA PRIVATE KEY-----
- Key data here -
-----END RSA PRIVATE KEY-----

solved my problem.

user50849
  • 293
  • 2
  • 7
  • 3
    This happened to me when I copied a private key from LastPass (worst UX of any password manager I've used) using its "Copy" button. Copying using the keyboard from the silly one-line input field instead solved this. Removing those empty lines after pasting may have worked too, but not tested. – Arjan Oct 28 '21 at 21:27
  • Me too - wish I had searched "LastPass" on this page first thing. – Gregor Thomas Jan 19 '22 at 03:24
13

I just ran into this today when was writing some git tagging utils for my CI pipeline.

Here was the difference between my two keys:

$ diff ~/.ssh/gitlab ~/.ssh/git_ssh_key
27c27
< -----END OPENSSH PRIVATE KEY-----
---
> -----END OPENSSH PRIVATE KEY-----
\ No newline at end of file

I changed my code like so:

     with open(ssh_key_file, 'w') as skf:
-        skf.write(ssh_key)
+        skf.write(ssh_key + '\n')

And now my ssh key works.

TL;DR - I guess you have to have a newline at the end of your private key.

Robert J
  • 231
  • 2
  • 4
10

After a recent update in Fedora 32 I started to get this warnings when connecting to remote hosts.

I solved the problem adding pkcs11: to the IdentityFile parameter in my .ssh/config like this:

IdentityFile pkcs11:~/.ssh/my_key.pem 

For reference, excerpt from ssh_config man page:

The authentication identity can be also specified in a form of PKCS#11 URI starting with a string pkcs11:.

  • 2
    this solved the issue for me, when running on `Fedora 32` and connecting to Amazon EC2. Thanks for sharing! – Kevin Jun 10 '20 at 12:35
  • What openssh version does this use? On `OpenSSH_8.3p1` the `pkcs11:` prefix is not recognized and it tells me "no such file or directory `pkcs11:/my/file.pem`". But I seem to be having the same issue: the warning and things like line endings, adding a newline at the end, etc. don't fix it. – Luc Jun 15 '20 at 09:38
  • openssh-8.3p1-2.fc32.x86_64 `IdentityFile pkcs11:/home/vquintans/.ssh/vquintans.pem` – Vicente Quintans Jun 16 '20 at 10:54
  • 4
    Weirdly I get the warning, but can login. Adding pkcs11: fixes the warning, but prevents me logging in, as if the key is now wrong. Trying to ssh to AWS EC2 from fedora 32 – Nigel Atkinson Jun 23 '20 at 01:47
  • This issue does not have anything to do with so this answer can not fix the issue in any way. – Jakuje Jun 08 '21 at 12:49
8

I was asking openssh to use a particular identity file by specifying it in .ssh/config file.

The original working configuration had

IdentityFile = <path to public key file> 

This stopped working without any changes. On a little thinking I replaced the "path to public key file" above with "path to private key file" . That worked. The reasoning is that both public and private key files have large peudoprime related numbers as per the RSA algorithm. If you replace the private key file by public key file, these cryptographic numbers would not be extracted correctly from the base64 block saved within the key files. It seems some versions of ssh can figure out the .pub extension and use it to identify the correct private key file - and other versions dont do that. This is another way this error can happen. Hope it helps someone.

vpathak
  • 181
  • 1
  • 1
  • 1
    In my case, I had setup `config` file with `path_to_public_key` and everything was working. However when the mac did a hard restart and a few days later I tried to do a `git push`, I started getting the error stated above. But when I now changed it to `path_to_private_key` things are working... Hmmm. Not sure why.. – lukik May 27 '19 at 00:15
  • Yeah, pointed to private key and all good now. Thanks. – Murwa Jan 30 '20 at 16:57
  • 1
    It has to be a `private key file` for the IdentityFile section. – Yuki Matsukura Mar 29 '20 at 07:24
6

In my case, this was happening because I was missing a blank line between DEK-Info and the actual key data. I had:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6E6F6E65206F6620796F757220627573
VGhpcyBpcyBub3QgbXkgYWN0dWFsIGtleSBzb3JyeSB0byBkaXNhcHBvaW50IHlv
...

But it needed to be:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6E6F6E65206F6620796F757220627573

VGhpcyBpcyBub3QgbXkgYWN0dWFsIGtleSBzb3JyeSB0byBkaXNhcHBvaW50IHlv
...
Joshua Davies
  • 161
  • 1
  • 3
  • I copied a private key from LastPass (worst UX of any password manager I've used) using its "Copy" button, which added an **excessive** blank line after the `----BEGIN RSA PRIVATE KEY-----` and another before the `-----END RSA PRIVATE KEY-----`. Copying from the silly one-line input field instead solved this. Removing those empty lines after pasting may have worked too, but not tested. – Arjan Oct 28 '21 at 21:26
5

You should convert your .ppk key to OpenSSH key

Here is how you do it:

  1. Download PuttyGen and generate your keypair (if you don't have keypair ready). Save private key to your folder (.ppk)
  2. If you are already had the private key, load the private key file (.ppk) by pressing the "Load" Button. Otherwise, skip this step
  3. Under menu "Conversions", choose Export OpenSSH key then save it to your folder
  4. Now you are ready to use the key to login your server without typing the password (I assume you already put the public key under /root/.ssh/authorized_keys, chmod 600 /root/.ssh/authorized_keys, And Restarted SSH demon )
Dylan B
  • 161
  • 1
  • 3
  • 1
    I had to re-install all my applications, and keys that once worked started doing this. My solution was similar, except I had to pick "Export OpenSSH key (force new file format)". The regular "Export OpenSSH key" generated the same key that didn't work. – Mageician Jul 16 '20 at 18:00
3

I've faced with the compatibility issue in Win32-OpenSSH 8.1.

None of the answers here worked for me so I found my own way: convert key to the new format using PuTTYgen utility.

  1. Run fresh version of puttygen
  2. Open the key (Conversions > Import key). Enter passphrase.
  3. Save key in new OpenSSH format (Conversions > Export OpenSSH key (force new file format))

enter image description here

Ilya Serbis
  • 131
  • 6
3

Use your private key instead of the public key.

Richard
  • 149
  • 5
2

Confusingly, the error says "pubkey" while pointing to a private key file.

A missing public key file (or other problems with it) causes this error - see this answer for details.

uvsmtid
  • 847
  • 1
  • 6
  • 12
2

I started seeing this problem when I upgraded to Ubuntu 20.10. It uses OpenSSH_8.3p1.

I fixed it using:

ssh-keygen -y -f mykey.pem > mykey.pem.pub
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
mark amos
  • 21
  • 1
1

I got this error when I use my public key with ssh-add. I should have used the private key. The public key can cause this error.

ssh-add rsakey.pub
Error loading key "rsakey.pub": invalid format

However, this is fine:

ssh-add rsakey
1

In my case the problem was that the private key was in the following format:

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

whereas the SSH server expected the following format:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
syntagma
  • 141
  • 3
1

I was having this problem with Mac OSX 11.4 and ssh version OpenSSH_8.1p1, LibreSSL 2.7.3. I tried all of the other solutions and nothing worked (i.e., I regenerated keys, tried newlines etc.).

Then I read this on the GitHub docs and by adding the following to my ~/.ssh/config I no longer got the error

Host *
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_rsa
Michael Hall
  • 111
  • 3
0

My issue was due to encoding. Looking in VSCode the encoding of the file (which I had created using Out-File in PowerShell) was UTF-16LE. When I switched to UTF-8, the key was valid.

john
  • 1,995
  • 1
  • 17
  • 30
0

You are logging with the wrong user

In my case, I was trying to connect to an Amazon AWS EC2 instance, but getting the error

load pubkey "MyPrivateKey.pem": invalid format

This was because I was trying to log with the wrong user (ec2-user)

I was using an Ubuntu machine, with user ubuntu instead of ec2-user (as is stated on the official Amazon Linux server OS).

But why that error?

It turns out Amazon uses an old format (puttygen says upon loading "openssh ssh-2 private key (old pem format)") that openssh doesn't like very much, so it is really a warning and not an error.

The real error (there is no such user on that server) is hidden by the server (otherwise you could brute force login names), but instead a "Connection closed" is shown.


You can find the name you use to connect to your machine on AWS under Actions>Connect.


How to fix the warning?

Just follow the answer of "Ras", which is, use PuTTYgen to convert to the OpenSSH format.

kenlukas
  • 2,886
  • 2
  • 14
  • 25
0

For anyone who has tried sudo puttygen ~/.ssh/your-key.pem -O private-openssh -o ~/.ssh/your-key-new.pem and got an error message saying puttygen: this command would perform no useful action there is an even newer format so you need to amend the command as follows:

sudo puttygen ~/.ssh/your-key.pem -O private-openssh-new -o ~/.ssh/your-key-new.pem

I was using a key generated by AWS on Manjaro which is a bit more bleeding edge than most other distros, still worked but the warning message was annoying.

For more info you can use man puttygen but the relevent section is below:

  -O output-type
    Specify the type of output you want puttygen to produce. Acceptable options are:

    private
      Save the private key in a format usable by PuTTY. This will either be the standard SSH-1 key format, or PuTTY's own SSH-2 key format.

    public Save  the  public key only. For SSH-1 keys, the standard public key format will be used (`1024 37 5698745...'). For SSH-2 keys, the public key will be output in the format specified by
      RFC 4716, which is a multi-line text file beginning with the line `---- BEGIN SSH2 PUBLIC KEY ----'.

    public-openssh
      Save the public key only, in a format usable by OpenSSH. For SSH-1 keys, this output format behaves identically to public. For SSH-2 keys, the public key will be output in the  OpenSSH
      format, which is a single line (`ssh-rsa AAAAB3NzaC1yc2...').

    fingerprint
      Print the fingerprint of the public key. All fingerprinting algorithms are believed compatible with OpenSSH.

    private-openssh
      Save an SSH-2 private key in OpenSSH's format, using the oldest format available to maximise backward compatibility. This option is not permitted for SSH-1 keys.

    private-openssh-new
      As private-openssh, except that it forces the use of OpenSSH's newer format even for RSA, DSA, and ECDSA keys.

    private-sshcom
      Save an SSH-2 private key in ssh.com's format. This option is not permitted for SSH-1 keys.

    If no output type is specified, the default is private.
Bob
  • 101
0

I had a similar error Load key "/root/.ssh/id_rsa": invalid format when I tried

RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa &&     chmod 600 /root/.ssh/id_rsa

This led to errors like identity file /root/.ssh/id_rsa type -1 invalid format and read_passphrase: can't open /dev/tty.

The right way would be to use

COPY id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa

The solution explained: my private key was wrongly formatted - instead of many lines, it was passed as a one-liner, and you might have any other format issue like a forgotten "-" at the start or end, or something wrong at the end of the lines, like a missing newline format or an additional letter at the end of a line.

See Dockerfile: clone repo with passwordless private key. Errors: “authentication agent” or “read_passphrase: can't open /dev/tty” for more details, with the main idea from Add private key to ssh-agent in docker file, which again had the idea from Gitlab CI/Docker: ssh-add keeps asking for passphrase.

0

I did something like the information here https://github.com/marketplace/actions/webfactory-ssh-agent

SSH Private Key Format If the private key is not in the PEM format, you will see an Error loading key "(stdin)": invalid format message.

Use ssh-keygen -p -f path/to/your/key -m pem to convert your key file to PEM, but be sure to make a backup of the file first .

It solved my issue.

0

If you are on windows using Cygwin, Gitbash, MSYS or similar tools, try to start your command in elevated mode (run as administrator).

I had to do this to re-export the public key file. If you are using .ssh/config file, make sure that the private key file is referenced there IdentityFile ~/.ssh/id_rsa.

Creating your private key file using puttygen will lead to similar error messages too, use OpenSSH to generate your private-public key-pair.

Using the public key file (~/.ssh/id_rsa.pub) as your identity file (IdentityFile in .ssh/config) will cause misleading error messages like

  • invalid format
  • connection timeout
linux64kb
  • 101
  • 2
0

TL;DR

FWIW, I ran into this problem today.

I never figured out what the new install of Win32 "portable openssh" 8.0.p1 didn't like about the key files - I just created new keys and added them to github and gitlab:

ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:\Users\mburr\.ssh\github.mburr-precor.key-2.id_rsa

Details

I had a working install of OpenSSH from the https://github.com/PowerShell/openssh-portable project (as installed by Chocolatey). But a few days ago I had to perform a "repair install" of Windows and therefore had to reinstall OpenSSH.

After that my keys used to authenticate to github and gitlab would no longer work giving the "invalid format" error. These were the identical key files that had been on the system before (the Repair Reinstall didn't remove those files).

I found no problems with line endings (all LF and an LF at the end of the file). The keys worked on a Linux system - and I later found that they worked with the OpenSSH included with Git for Windows v2.33.1.

 using the Win32 "portable OpenSSH" (from https://github.com/PowerShell/openssh-portable as installed by Chocolatey)
# Private key file error: "invalid format"
#

C:\devtrees>"c:\Program Files\OpenSSH-Win64\ssh.exe" -V
OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5

C:\devtrees>"c:\Program Files\OpenSSH-Win64\ssh.exe" -F c:\util\emptyfile -i c:\users\mburr\.ssh\github.mburr.id_rsa -T git@github.com
Load key "c:\\users\\mburr\\.ssh\\github.mburr.id_rsa": invalid format
git@github.com: Permission denied (publickey).


#-------------------------------------------------------
# using the OpenSSH that comes with Git for Windows v2.33.1
# No problem with the private key
#

C:\devtrees>c:\git\usr\bin\ssh.exe -V
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021

C:\devtrees>c:\git\usr\bin\ssh.exe -F c:\util\emptyfile -i c:\users\mburr\.ssh\github.mburr.id_rsa -T git@github.com
Enter passphrase for key 'c:\users\mburr\.ssh\github.mburr.id_rsa':
Hi mburr! You've successfully authenticated, but GitHub does not provide shell access.

(emptyfile is just that. I specified it as the config file with -F to force ssh to ignore ~/.ssh/config)

I never figured out what the Win32 "portable openssh" 8.0.p1 didn't like about the key files - I just created new keys and added them to github and gitlab:

ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:\Users\mburr\.ssh\github.mburr-precor.key-2.id_rsa

Problem solved.

Michael Burr
  • 231
  • 1
  • 3
0

In my case the private key must have been added to the agent with:

ssh-add ~/.ssh/private_id_rsa
0x416e746f6e
  • 141
  • 1
  • 6
0

I encountered this problem because the key file did not end with a newline character.

0

I had this issue because I had a key in ~/.ssh that actually was an invalid format and I had a lot of keys, which meant SSH was trying them all, even though I specified my identity file in the command. It just happens to fail because it can only try 5 keys I think, and then left me with that error, which was legit, just for the wrong identity file. The solution was to just use IdentitiesOnly yes in my ~/.ssh/config.

Elijah Lynn
  • 139
  • 3
  • 16
0

I had this error because there was a blank line at the beginning of the key file. Easy to miss if you are cating it out.

Elijah Lynn
  • 139
  • 3
  • 16
0

This is also the error ssh (at least some versions) emits if you have a passphrase on your private key, and enter the passphrase wrong when you attempt to connect.

(In particular, this happened to me with: OpenSSH_7.6p1, LibreSSL 2.6.2, which is the built-in SSH for Mac OS X 10.13.6 .)

So double-check that you're using the right passphrase, and that CAPS LOCK is off.

-2

Make sure you to rename your PRIVATE key and remove the file extension that is the issue.

Steps I took

Create your public key:

Make sure you are in the same directory you have the private key

How to create the Public Key:

ssh-keygen -y -f Private-Key.pem > Public-key.pub

make sure the PUBLIC key has a .pub file extension

after that provide proper permissions for security reasons:

chmod 600 Private-Key.pem
chmod 400 Public-key.pub

THEN the most important part and the reason you got the error "invalid format"

Make sure you to rename your PRIVATE key and remove the file extension:

Remove the .pem from your Private key.

mv Private-Key.pem Private-Key

or if on a windows computer rename the private key, same name just remove the .pem

HBruijn
  • 72,524
  • 21
  • 127
  • 192