ssh-keygen does not create RSA private key

I faced the same problem recently (after upgrade to mojave 10.14.1), here are 2 possible solutions for this issue.

• Downgrade your ssh-keygen binary (you can easily get old version from any linux/docker image)

OR

• Add option -m PEM into your ssh-keygen command. For example, you can run ssh-keygen -m PEM -t rsa -b 4096 -C "[email protected]" to force ssh-keygen to export as PEM format.

It seems like in the current ssh-keygen version in mojave, the default export format is RFC4716 as mentioned here

New keys with OpenSSH private key format can be converted using ssh-keygen utility to the old PEM format.

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

There is no need to downgrade to older OpenSSH just to achieve this result.

Some elaboration on the above answers to provide a clear path for both the public and private key.

You can directly export (-e) your ssh keys to a pem format:

For your public key:

cd ~/.ssh
ssh-keygen -e -m PEM -f id_rsa > id_rsa.pub.pem

For your private key:

Things are a little tricker as ssh-keygen only allows the private key file to be change 'in-situ'. (i.e. it replaces your key file with the new file).

So you can keep your old file:

Given we are just exporting the file the <new pass phrase> can be identical to your <old pass phrase> (unless you want to change the pass phrase at the same time).

cd ~/.ssh
cp id_rsa id_rsa.bak
ssh-keygen -p -P "<old pass phrase>" -N "<new pass phrase>" -m PEM -f id_rsa 
cp id_rsa id_rsa.priv.pem
cp id_rsa.bak id_rsa

NOTE: it is a bad idea to pass your pass phrase as an argument to a cli app.

The secure method is:

cd ~/.ssh
cp id_rsa id_rsa.bak
ssh-keygen -p  -m PEM -f id_rsa 
cp id_rsa id_rsa.priv.pem
cp id_rsa.bak id_rsa

With this method you will be prompted for your old and new pass phrase.

Note: after converting your private key file to a .pem the file is now in clear text, this is bad.