Home / server / Questions / 854208
Accepted
Gregor Menih
Asked: 2017-06-07 04:06:45 +0800 CST

SSH Suddenly returning Invalid format

  • 772

So a while ago I set up a server on AWS, and used their generated SSH key. I saved the key to Lastpass, and have successfully retrieved it from there before, and got it working. However, after trying that again today, I can't get it to work.

-rw------- 1 itsgreg users 1674 Jun 6 12:51 key_name

I've tried ssh -i key_name, ssh-keygen -f key_name, but nothing works, I always get this error message:

Load key "key_name": invalid format

Is there any way to fix this?

ssh

30 Answers

  1. Starting openssh 7.6, it defaults to a new more secure format. You can force it to convert to that format using the commands below to change your key password. In case you don't have and/or don't want a password, you can simply press enter and it will still rewrite the key in the new format

    ssh-keygen -f ~/.ssh/id_rsa -p
    • 73

  2. I had the same issue, and it turns out I had Windows-style (CRLF) line separators in the file for some reason.

    In addition, the file must end with a single LF.

    Fixing those made things dandy again.

    • 55
  3. Best Answer

    Check the contents of key_name, if the agent says invalid format, then there's something wrong with the key - like .. are you sure that's the correct key? Even if it's not the private key you need, the ssh agent won't return invalid format if the key is working, you simply won't be able to connect. You might have placed your public key in there, for some reason. Check it!

    • 47

  4. I fixed this issue in Windows by converting the private key to OpenSSH format using the PuTTY Key Generator.

    1. Start Menu | All apps | PuTTY | PuTTYgen
    2. Load my.ppk
    3. Conversions | Export OpenSSH key
    4. Save my_openssh.ppk

    Start Menu, All apps, PuTTY section, PuTTYgen

    PuTTYgen, Conversions, Export OpenSSH

    Now this works:

    ssh -i "my_openssh.ppk" [email protected]

    Mac conversion: (thanks @ChrisGillatt)

    brew install putty 
puttygen ~/.ssh/my.ppk -O private-openssh -o ~/.ssh/my_openssh.ppk
    • 31

  5. If you get a warning about an invalid public key format but the command still works then it may be because you only have a private key file and are using OpenSSH 8.3.

    OpenSSH 8.3 includes a change to the ssh client where it looks for the private key's corresponding public key file and outputs this load pubkey "/home/user/.ssh/id.rsa": invalid format warning but continues to connect successfully. Tools using ssh, such as scp or git may show key_load_public: invalid format.

    The client does not need the public key when connecting, only the private key. So this check is pointless and it has already been removed by an upstream commit but isn't in a relase (yet).

    There's a discussion about this on the ArchLinux forum.

    • 25

  6. In my case, it turned out that I had newlines between the start/end "headers" and the key data:

    -----BEGIN RSA PRIVATE KEY-----

- Key data here -

-----END RSA PRIVATE KEY-----

    Removing the extra new lines, so it became

    -----BEGIN RSA PRIVATE KEY-----
- Key data here -
-----END RSA PRIVATE KEY-----

    solved my problem.

    • 18

  7. I just ran into this today when was writing some git tagging utils for my CI pipeline.

    Here was the difference between my two keys:

    $ diff ~/.ssh/gitlab ~/.ssh/git_ssh_key
27c27
< -----END OPENSSH PRIVATE KEY-----
---
> -----END OPENSSH PRIVATE KEY-----
\ No newline at end of file

    I changed my code like so:

         with open(ssh_key_file, 'w') as skf:
-        skf.write(ssh_key)
+        skf.write(ssh_key + '\n')

    And now my ssh key works.

    TL;DR - I guess you have to have a newline at the end of your private key.

    • 13

  8. After a recent update in Fedora 32 I started to get this warnings when connecting to remote hosts.

    I solved the problem adding pkcs11: to the IdentityFile parameter in my .ssh/config like this:

    IdentityFile pkcs11:~/.ssh/my_key.pem

    For reference, excerpt from ssh_config man page:

    The authentication identity can be also specified in a form of PKCS#11 URI starting with a string pkcs11:.

    • 10

  9. I was asking openssh to use a particular identity file by specifying it in .ssh/config file.

    The original working configuration had

    IdentityFile = <path to public key file>

    This stopped working without any changes. On a little thinking I replaced the "path to public key file" above with "path to private key file" . That worked. The reasoning is that both public and private key files have large peudoprime related numbers as per the RSA algorithm. If you replace the private key file by public key file, these cryptographic numbers would not be extracted correctly from the base64 block saved within the key files. It seems some versions of ssh can figure out the .pub extension and use it to identify the correct private key file - and other versions dont do that. This is another way this error can happen. Hope it helps someone.

    • 8

  10. In my case, this was happening because I was missing a blank line between DEK-Info and the actual key data. I had:

    -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6E6F6E65206F6620796F757220627573
VGhpcyBpcyBub3QgbXkgYWN0dWFsIGtleSBzb3JyeSB0byBkaXNhcHBvaW50IHlv
...

    But it needed to be:

    -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6E6F6E65206F6620796F757220627573

VGhpcyBpcyBub3QgbXkgYWN0dWFsIGtleSBzb3JyeSB0byBkaXNhcHBvaW50IHlv
...
    • 6