So a while ago I set up a server on AWS, and used their generated SSH key. I saved the key to Lastpass, and have successfully retrieved it from there before, and got it working. However, after trying that again today, I can't get it to work.
-rw------- 1 itsgreg users 1674 Jun 6 12:51 key_name
I've tried ssh -i key_name, ssh-keygen -f key_name, but nothing works, I always get this error message:
Load key "key_name": invalid format
Is there any way to fix this?
Check the contents of key_name, if the agent says invalid format, then there's something wrong with the key - like .. are you sure that's the correct key? Even if it's not the private key you need, the ssh agent won't return invalid format if the key is working, you simply won't be able to connect. You might have placed your public key in there, for some reason. Check it!
One common issue is if the file does not end with a newline. Add a newline, save, and try again.
----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----. Plus it used to work. I had the same issue, and it turns out I had Windows-style (CRLF) line separators in the file for some reason.
In addition, the file must end with a single LF.
Fixing those made things dandy again.
Starting openssh 7.6, it defaults to a new more secure format. You can force it to convert to that format using the commands below to change your key password. In case you don't have and/or don't want a password, you can simply press enter and it will still rewrite the key in the new format
ssh-keygen -f ~/.ssh/id_rsa -p 
ssh-keygen from OpenSSH (I've used 7.7.2.1 before) even don't want to read the key the same way as new ssh version does: Failed to load key id_rsa: invalid format I fixed this issue in Windows by converting the private key to OpenSSH format using the PuTTY Key Generator.
PuTTYgenmy.ppkConversions | Export OpenSSH keymy_openssh.ppk
Now this works:
ssh -i "my_openssh.ppk" [email protected] Mac conversion: (thanks @ChrisGillatt)
brew install putty puttygen ~/.ssh/my.ppk -O private-openssh -o ~/.ssh/my_openssh.ppk 
brew install putty && puttygen ~/.ssh/my-key-name.ppk -O private-openssh -o ~/.ssh/my-key-name If you get a warning about an invalid public key format but the command still works then it may be because you only have a private key file and are using OpenSSH 8.3.
OpenSSH 8.3 includes a change to the ssh client where it looks for the private key's corresponding public key file and outputs this load pubkey "/home/user/.ssh/id.rsa": invalid format warning but continues to connect successfully. Tools using ssh, such as scp or git may show key_load_public: invalid format.
The client does not need the public key when connecting, only the private key. So this check is pointless and it has already been removed by an upstream commit but isn't in a relase (yet).
There's a discussion about this on the ArchLinux forum.
In my case, it turned out that I had newlines between the start/end "headers" and the key data:
-----BEGIN RSA PRIVATE KEY----- - Key data here - -----END RSA PRIVATE KEY----- Removing the extra new lines, so it became
-----BEGIN RSA PRIVATE KEY----- - Key data here - -----END RSA PRIVATE KEY----- solved my problem.
I just ran into this today when was writing some git tagging utils for my CI pipeline.
Here was the difference between my two keys:
$ diff ~/.ssh/gitlab ~/.ssh/git_ssh_key 27c27 < -----END OPENSSH PRIVATE KEY----- --- > -----END OPENSSH PRIVATE KEY----- \ No newline at end of file I changed my code like so:
with open(ssh_key_file, 'w') as skf: - skf.write(ssh_key) + skf.write(ssh_key + '\n') And now my ssh key works.
TL;DR - I guess you have to have a newline at the end of your private key.
docker-alpine After a recent update in Fedora 32 I started to get this warnings when connecting to remote hosts.
I solved the problem adding pkcs11: to the IdentityFile parameter in my .ssh/config like this:
IdentityFile pkcs11:~/.ssh/my_key.pem For reference, excerpt from ssh_config man page:
The authentication identity can be also specified in a form of PKCS#11 URI starting with a string pkcs11:.
Fedora 32 and connecting to Amazon EC2. Thanks for sharing! OpenSSH_8.3p1 the pkcs11: prefix is not recognized and it tells me "no such file or directory pkcs11:/my/file.pem". But I seem to be having the same issue: the warning and things like line endings, adding a newline at the end, etc. don't fix it. IdentityFile pkcs11:/home/vquintans/.ssh/vquintans.pem I was asking openssh to use a particular identity file by specifying it in .ssh/config file.
The original working configuration had
IdentityFile = <path to public key file> This stopped working without any changes. On a little thinking I replaced the "path to public key file" above with "path to private key file".
IdentityFile = <path to private key file> That worked. The reasoning is that both public and private key files have large peudoprime related numbers as per the RSA algorithm. If you replace the private key file by public key file, these cryptographic numbers would not be extracted correctly from the base64 block saved within the key files. It seems some versions of ssh can figure out the .pub extension and use it to identify the correct private key file - and other versions dont do that. This is another way this error can happen. Hope it helps someone.
config file with path_to_public_key and everything was working. However when the mac did a hard restart and a few days later I tried to do a git push, I started getting the error stated above. But when I now changed it to path_to_private_key things are working... Hmmm. Not sure why.. private key file for the IdentityFile section. In my case, this was happening because I was missing a blank line between DEK-Info and the actual key data. I had:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,6E6F6E65206F6620796F757220627573 VGhpcyBpcyBub3QgbXkgYWN0dWFsIGtleSBzb3JyeSB0byBkaXNhcHBvaW50IHlv ... But it needed to be:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,6E6F6E65206F6620796F757220627573 VGhpcyBpcyBub3QgbXkgYWN0dWFsIGtleSBzb3JyeSB0byBkaXNhcHBvaW50IHlv ... 
----BEGIN RSA PRIVATE KEY----- and another before the -----END RSA PRIVATE KEY-----. Copying from the silly one-line input field instead solved this. Removing those empty lines after pasting may have worked too, but not tested. You should convert your .ppk key to OpenSSH key
Here is how you do it:
I've faced with the compatibility issue in Win32-OpenSSH 8.1.
None of the answers here worked for me so I found my own way: convert key to the new format using PuTTYgen utility.
puttygen
Use your private key instead of the public key.
I started seeing this problem when I upgraded to Ubuntu 20.10. It uses OpenSSH_8.3p1.
I fixed it using:
ssh-keygen -y -f mykey.pem > mykey.pem.pub Confusingly, the error says "pubkey" while pointing to a private key file.
A missing public key file (or other problems with it) causes this error - see this answer for details.
In my case the problem was that the private key was in the following format:
-----BEGIN OPENSSH PRIVATE KEY----- ... -----END OPENSSH PRIVATE KEY----- whereas the SSH server expected the following format:
-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- You are logging with the wrong user
In my case, I was trying to connect to an Amazon AWS EC2 instance, but getting the error
load pubkey "MyPrivateKey.pem": invalid format
This was because I was trying to log with the wrong user (ec2-user)
I was using an Ubuntu machine, with user ubuntu instead of ec2-user (as is stated on the official Amazon Linux server OS).
But why that error?
It turns out Amazon uses an old format (puttygen says upon loading "openssh ssh-2 private key (old pem format)") that openssh doesn't like very much, so it is really a warning and not an error.
The real error (there is no such user on that server) is hidden by the server (otherwise you could brute force login names), but instead a "Connection closed" is shown.
You can find the name you use to connect to your machine on AWS under Actions>Connect.
Just follow the answer of "Ras", which is, use PuTTYgen to convert to the OpenSSH format.
For anyone who has tried sudo puttygen ~/.ssh/your-key.pem -O private-openssh -o ~/.ssh/your-key-new.pem and got an error message saying puttygen: this command would perform no useful action there is an even newer format so you need to amend the command as follows:
sudo puttygen ~/.ssh/your-key.pem -O private-openssh-new -o ~/.ssh/your-key-new.pem I was using a key generated by AWS on Manjaro which is a bit more bleeding edge than most other distros, still worked but the warning message was annoying.
For more info you can use man puttygen but the relevent section is below:
-O output-type Specify the type of output you want puttygen to produce. Acceptable options are: private Save the private key in a format usable by PuTTY. This will either be the standard SSH-1 key format, or PuTTY's own SSH-2 key format. public Save the public key only. For SSH-1 keys, the standard public key format will be used (`1024 37 5698745...'). For SSH-2 keys, the public key will be output in the format specified by RFC 4716, which is a multi-line text file beginning with the line `---- BEGIN SSH2 PUBLIC KEY ----'. public-openssh Save the public key only, in a format usable by OpenSSH. For SSH-1 keys, this output format behaves identically to public. For SSH-2 keys, the public key will be output in the OpenSSH format, which is a single line (`ssh-rsa AAAAB3NzaC1yc2...'). fingerprint Print the fingerprint of the public key. All fingerprinting algorithms are believed compatible with OpenSSH. private-openssh Save an SSH-2 private key in OpenSSH's format, using the oldest format available to maximise backward compatibility. This option is not permitted for SSH-1 keys. private-openssh-new As private-openssh, except that it forces the use of OpenSSH's newer format even for RSA, DSA, and ECDSA keys. private-sshcom Save an SSH-2 private key in ssh.com's format. This option is not permitted for SSH-1 keys. If no output type is specified, the default is private. I got this error when I use my public key with ssh-add. I should have used the private key. The public key can cause this error.
ssh-add rsakey.pub Error loading key "rsakey.pub": invalid format However, this is fine:
ssh-add rsakey I was having this problem with Mac OSX 11.4 and ssh version OpenSSH_8.1p1, LibreSSL 2.7.3. I tried all of the other solutions and nothing worked (i.e., I regenerated keys, tried newlines etc.).
Then I read this on the GitHub docs and by adding the following to my ~/.ssh/config I no longer got the error
Host * AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_rsa In my case the private key must have been added to the agent with:
ssh-add ~/.ssh/private_id_rsa I had this issue because I had a key in ~/.ssh that actually was an invalid format and I had a lot of keys, which meant SSH was trying them all, even though I specified my identity file in the command. It just happens to fail because it can only try 5 keys I think, and then left me with that error, which was legit, just for the wrong identity file. The solution was to just use IdentitiesOnly yes in my ~/.ssh/config.
I had this error because there was a blank line at the beginning of the key file. Easy to miss if you are cating it out.
This is also the error ssh (at least some versions) emits if you have a passphrase on your private key, and enter the passphrase wrong when you attempt to connect.
(In particular, this happened to me with: OpenSSH_7.6p1, LibreSSL 2.6.2, which is the built-in SSH for Mac OS X 10.13.6 .)
So double-check that you're using the right passphrase, and that CAPS LOCK is off.
My issue was due to encoding. Looking in VSCode the encoding of the file (which I had created using Out-File in PowerShell) was UTF-16LE. When I switched to UTF-8, the key was valid.
I had a similar error Load key "/root/.ssh/id_rsa": invalid format when I tried
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa This led to errors like identity file /root/.ssh/id_rsa type -1 invalid format and read_passphrase: can't open /dev/tty.
The right way would be to use
COPY id_rsa /root/.ssh/id_rsa RUN chmod 600 /root/.ssh/id_rsa The solution explained: my private key was wrongly formatted - instead of many lines, it was passed as a one-liner, and you might have any other format issue like a forgotten "-" at the start or end, or something wrong at the end of the lines, like a missing newline format or an additional letter at the end of a line.
See Dockerfile: clone repo with passwordless private key. Errors: “authentication agent” or “read_passphrase: can't open /dev/tty” for more details, with the main idea from Add private key to ssh-agent in docker file, which again had the idea from Gitlab CI/Docker: ssh-add keeps asking for passphrase.
I did something like the information here https://github.com/marketplace/actions/webfactory-ssh-agent
SSH Private Key Format If the private key is not in the PEM format, you will see an Error loading key "(stdin)": invalid format message.
Use ssh-keygen -p -f path/to/your/key -m pem to convert your key file to PEM, but be sure to make a backup of the file first 😉.
It solved my issue.
If you are on windows using Cygwin, Gitbash, MSYS or similar tools, try to start your command in elevated mode (run as administrator).
I had to do this to re-export the public key file. If you are using .ssh/config file, make sure that the private key file is referenced there IdentityFile ~/.ssh/id_rsa.
Creating your private key file using puttygen will lead to similar error messages too, use OpenSSH to generate your private-public key-pair.
Using the public key file (~/.ssh/id_rsa.pub) as your identity file (IdentityFile in .ssh/config) will cause misleading error messages like
FWIW, I ran into this problem today.
I never figured out what the new install of Win32 "portable openssh" 8.0.p1 didn't like about the key files - I just created new keys and added them to github and gitlab:
ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:\Users\mburr\.ssh\github.mburr-precor.key-2.id_rsa I had a working install of OpenSSH from the https://github.com/PowerShell/openssh-portable project (as installed by Chocolatey). But a few days ago I had to perform a "repair install" of Windows and therefore had to reinstall OpenSSH.
After that my keys used to authenticate to github and gitlab would no longer work giving the "invalid format" error. These were the identical key files that had been on the system before (the Repair Reinstall didn't remove those files).
I found no problems with line endings (all LF and an LF at the end of the file). The keys worked on a Linux system - and I later found that they worked with the OpenSSH included with Git for Windows v2.33.1.
using the Win32 "portable OpenSSH" (from https://github.com/PowerShell/openssh-portable as installed by Chocolatey) # Private key file error: "invalid format" # C:\devtrees>"c:\Program Files\OpenSSH-Win64\ssh.exe" -V OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5 C:\devtrees>"c:\Program Files\OpenSSH-Win64\ssh.exe" -F c:\util\emptyfile -i c:\users\mburr\.ssh\github.mburr.id_rsa -T [email protected] Load key "c:\\users\\mburr\\.ssh\\github.mburr.id_rsa": invalid format [email protected]: Permission denied (publickey). #------------------------------------------------------- # using the OpenSSH that comes with Git for Windows v2.33.1 # No problem with the private key # C:\devtrees>c:\git\usr\bin\ssh.exe -V OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021 C:\devtrees>c:\git\usr\bin\ssh.exe -F c:\util\emptyfile -i c:\users\mburr\.ssh\github.mburr.id_rsa -T [email protected] Enter passphrase for key 'c:\users\mburr\.ssh\github.mburr.id_rsa': Hi mburr! You've successfully authenticated, but GitHub does not provide shell access. (emptyfile is just that. I specified it as the config file with -F to force ssh to ignore ~/.ssh/config)
I never figured out what the Win32 "portable openssh" 8.0.p1 didn't like about the key files - I just created new keys and added them to github and gitlab:
ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:\Users\mburr\.ssh\github.mburr-precor.key-2.id_rsa Problem solved.
I encountered this problem because the key file did not end with a newline character.
