ssh: Error loading key "./id_rsa": invalid format

Question

For some reason one of my ssh keys "just broke" - it just stopped working:

$ ssh-add ./id_rsa
Error loading key "./id_rsa": invalid format

Copying the key inside a clean VM, the key does work. Even with the exact same ssh version (OpenSSH_7.8p1, OpenSSL 1.1.0i-fips 14 Aug 2018 on Fedora 28). So it must be related to some config on my system I assume.

# cat ./id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,...

...
-----END RSA PRIVATE KEY-----

Also peculiar: GNOME somehow manages to add the key on login with seahorse. Then ssh-add -L does list the key but it is not usable:

sign_and_send_pubkey: signing failed: agent refused operation

score 32 · Answer 1 · answered Jul 03 '20 at 12:23

32

I was getting the same error message when passing in the private key through a CI pipeline variable in Gitlab.

The error was caused by not having a newline character at the end of the variable and was fixed by manually adding it.

answered Jul 03 '20 at 12:23

AdrianoKF

421

score 26 · Accepted Answer · answered Oct 29 '18 at 08:32

Traditionally OpenSSH used the same private key format is identical to the older PEM format used by OpenSSL. (Because it uses OpenSSL for parsing the key, it will accept the newer PKCS#8 format as well.)

So the issue can be one of:

Your OpenSSL version refuses to load this key format. Perhaps it has accidentally enabled FIPS mode and refuses any algorithms except those part of its original FIPS validation?

Try loading the key into the openssl command-line tool (which, yes, might also be linked to a different libcrypto, and you should check with ldd):
```
openssl rsa -noout -text < id_rsa
openssl pkey -noout -text < id_rsa
```
Try converting it to PKCS#8 format:
```
umask 077
openssl pkey < id_rsa > id_rsa.pkcs8
ssh-add id_rsa.pkcs8
```
Your OpenSSH has been built without OpenSSL support. Even though ssh -V says the support was enabled, that does not automatically mean the ssh-add binary is the same – it might come from a different partial installation.

Use type -a ssh and type -a ssh-add to compare installation locations.

Once you know the path, use ldd /usr/bin/ssh-add to verify that it's linked to libcrypto.so (the OpenSSL cryptographic library).

If nothing works at all, try converting your key to the new OpenSSH-proprietary format using... PuTTY. Install the putty package for Fedora, and use:

puttygen id_rsa -o id_rsa.newformat -O private-openssh-new
ssh-add id_rsa.newformat

Also peculiar: GNOME somehow manages to add the key on login with seahorse.

Older GNOME Keyring versions have an internal copy of the SSH agent code and are independent from the system OpenSSH. So they will accept keys that your OpenSSH won't. (But on the other hand, this means severe lagging in terms of feature support (such as Ed25519 keys), and the latest GNOME Keyring just uses the system ssh-agent instead.)

Kamil · Answer 3 · 2020-11-02T12:09:28.833

12

In my case, the problem was caused by incorrect end of line characters in id_rsa file. After copying file content, Windows text editor wanted to help me and converted EOLs to CR LF.

edited Nov 02 '20 at 12:09

answered Sep 19 '19 at 14:24

Kamil

233

Ilya Palopezhentsev · Answer 4 · 2020-07-02T18:09:58.277

5

In my case, I just copied id_rsa private key but not the public part id_rsa.pub. It worked but complained with 'invalid format' each time I did server operations. Copying id_rsa.pub as well solved the problem.

edited Jul 02 '20 at 18:09

answered Jun 23 '20 at 09:29

Ilya Palopezhentsev

151

Jake McGinty · Answer 5 · 2020-04-23T04:23:55.833

3

I recently had this problem, and in my case it was due to having an invalid certificate (i.e. $HOME/.ssh/id_rsa-cert.pub), which confusingly gave this same error even though my private key was still valid and SSH continued to work.

It was fixed by either removing the invalid (in my case, zero-sized) cert file, or replacing it with a valid certificate, as the case may be.

edited Apr 23 '20 at 04:23

answered Apr 20 '20 at 04:56

Jake McGinty

31

score 2 · Answer 6 · answered Aug 24 '20 at 00:20

2

In my case, on Windows, the solution was to use the Puttygen option Conversions > Export SSH key (force new file format)

answered Aug 24 '20 at 00:20

cja

183

score 1 · Answer 7 · edited Apr 26 '22 at 12:43

I was struggling with this issue and it ended up being extra newlines before and after the
-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines respectively; removing them fixed it and now works fine.

hernandanielg@laptop:~$ diff -c id_rsa .ssh/id_rsa
*** id_rsa    2022-04-26 06:41:51.650982783 -0500
  --- .ssh/id_rsa   2022-04-26 06:39:47.971676083 -0500

*** 1,5 ****
    -----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

--- 1,4 ----

*** 52,56 ****
    somehash

-----END RSA PRIVATE KEY-----

--- 51,54 ----

score 1 · Answer 8 · answered Jun 05 '23 at 06:43

1

Because I come back to this question and often forget what to do on a Mac. You can also run: ssh-add --apple-use-keychain {path_to_ssh_key} to get the error: Load key ... invalid format? git error fixed.

answered Jun 05 '23 at 06:43

Naz

143

score 0 · Answer 9 · edited Jun 08 '21 at 05:51

0

Oh boy, just went through doing this for a team member... and the problem proved to be puttygen not doing things the nice way. I was finally able to fix it by using Windows Powershell and the command:

ssh-keygen -t rsa

it was an instant fix !

edited Jun 08 '21 at 05:51

jkmartindale

430

answered Jun 03 '21 at 20:32

AlexD

283

ssh: Error loading key "./id_rsa": invalid format

9 Answers9