key_load_public: invalid format

Question

I used PuTTY Key Generator to generate a 4096 bit RSA-2 key with a passphrase.

I save the .ppk and an openSSL format public key. The putty format public key doesn't work.

In any case, my error is as follows:

$ ssh -T git@github.com
key_load_public: invalid format
Enter passphrase for key '/c/Users/Dan/.ssh/id_rsa':
Hi Dan! You've successfully authenticated, but GitHub does not provide shell access.

What's the issue?

I use Pageant to load the keys and i use Git Bash to try the ssh connection. I've also loaded the key into GitHub, not sure what i'm doing wrong.

I've tried adding a new line and not adding a new line in GitHub

Why do you think it doesn't work? It says *successfully authenticated*. — Roland Smith, Mar 17 '17 at 17:41
@RolandSmith It's telling me `key_load_public: invalid format` right as i execute the command before i enter the passphrase? — JordanGS, Mar 17 '17 at 17:42
Do: 'ssh -vvv -T git@github.com' to get more info, probably ~/.ssh/known_hosts is bad - ssh is looking for github's public key. You can run 'file key' to find out key file's format. — mosh, Nov 17 '17 at 14:40

score 231 · Accepted Answer · edited Oct 07 '21 at 07:34

As Roland mentioned in their answer, it's a warning that the ssh-agent doesn't understand the format of the public key and even then, the public key will not be used locally.

However, I can also elaborate and answer why the warning is there. It simply boils down to the fact that the PuTTY Key Generator generates two different public key formats depending on what you do in the program.

Note: Throughout my explanation, the key files I will be using/generating will be named id_rsa with their appropriate extensions. Furthermore, for copy-paste convenience, the parent folder of the keys will be assumed to be ~/.ssh/. Adjust these details to suit your needs as desired.

The Formats

Link to the relevant PuTTY documentation

SSH-2

When you save a key using the PuTTY Key Generator using the "Save public key" button, it will be saved in the format defined by RFC 4716.

Example:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "github-example-key"
AAAAB3NzaC1yc2EAAAABJQAAAQEAhl/CNy9wI1GVdiHAJQV0CkHnMEqW7+Si9WYF
i2fSBrsGcmqeb5EwgnhmTcPgtM5ptGBjUZR84nxjZ8SPmnLDiDyHDPIsmwLBHxcp
pY0fhRSGtWL5fT8DGm9EfXaO1QN8c31VU/IkD8niWA6NmHNE1qEqpph3DznVzIm3
oMrongEjGw7sDP48ZTZp2saYVAKEEuGC1YYcQ1g20yESzo7aP70ZeHmQqI9nTyEA
ip3mL20+qHNsHfW8hJAchaUN8CwNQABJaOozYijiIUgdbtSTMRDYPi7fjhgB3bA9
tBjh7cOyuU/c4M4D6o2mAVYdLAWMBkSoLG8Oel6TCcfpO/nElw==
---- END SSH2 PUBLIC KEY ----

OpenSSH

Contrary to popular belief, this format doesn't get saved by the generator. However it is generated and shown in the text box titled "Public key for pasting into OpenSSH authorized_keys file". To save it as a file, you have to manually copy it from the text box and paste it into a new text file.

For the key shown above, this would be:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhl/CNy9wI1GVdiHAJQV0CkHnMEqW7+Si9WYFi2fSBrsGcmqeb5EwgnhmTcPgtM5ptGBjUZR84nxjZ8SPmnLDiDyHDPIsmwLBHxcppY0fhRSGtWL5fT8DGm9EfXaO1QN8c31VU/IkD8niWA6NmHNE1qEqpph3DznVzIm3oMrongEjGw7sDP48ZTZp2saYVAKEEuGC1YYcQ1g20yESzo7aP70ZeHmQqI9nTyEAip3mL20+qHNsHfW8hJAchaUN8CwNQABJaOozYijiIUgdbtSTMRDYPi7fjhgB3bA9tBjh7cOyuU/c4M4D6o2mAVYdLAWMBkSoLG8Oel6TCcfpO/nElw== github-example-key

The format of the key is simply ssh-rsa <signature> <comment> and can be created by rearranging the SSH-2 formatted file.

Regenerating Public Keys

If you are making use of ssh-agent, you will likely also have access to ssh-keygen.

If you have your OpenSSH Private Key (id_rsa file), you can generate the OpenSSH Public Key File using:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

If you only have the PUTTY Private Key (id_rsa.ppk file), you will need to convert it first.

Open the PuTTY Key Generator
On the menu bar, click "File" > "Load private key"
Select your id_rsa.ppk file
On the menu bar, click "Conversions" > "Export OpenSSH key"
Save the file as id_rsa (without an extension)

Now that you have an OpenSSH Private Key, you can use the ssh-keygen tool as above to perform manipulations on the key.

Bonus: The PKCS#1 PEM-encoded Public Key Format

To be honest, I don't know what this key is used for as I haven't needed it. But I have it in my notes I've collated over the years and I'll include it here for wholesome goodness. The file will look like this:

This file can be generated using an OpenSSH Private Key (as generated in "Regenerating Public Keys" above) using:

ssh-keygen -f ~/.ssh/id_rsa -y -e -m pem > ~/.ssh/id_rsa.pem

Alternatively, you can use an OpenSSH Public Key using:

ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pem > ~/.ssh/id_rsa.pem

##References:##

When you convert your private key to an OpenSSH key, It is in my opinion recommend to leave the file extensionless and not preferable. My git-client won't connect to the remote repository when an extension is used for the private key. — Programmer1994, Sep 30 '18 at 22:41
@Programmer1994 The conversion instructions were included as steps to convert the `.ppk` to a `.pub` file. The side effect of the intermediary `id_rsa` private key actually being used by another program was overlooked. I have changed the language "preferably extensionless" to "(without an extension)" to clear any ambiguity. I also took the chance to reword some grievances that come up whenever I look back at this answer. Thank you for your contribution. — samthecodingman, Oct 01 '18 at 05:53
Thanks for the answer. I used the command in the section of your answer "Regenerating Public Keys" and it solved my problem. — desmond13, Mar 28 '19 at 09:44
you talked about public keys. but the issue is generated from a private key id_rsa. I get the same warning when I use my private ssh key when attempting to access a git server via ssh. — ahnbizcad, Apr 01 '19 at 18:03
`ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub` this solved it. THX! — Dwza, Jul 18 '19 at 21:38
very help, you save my hours ... :-D I follow to Regenerating Public Keys, and yields me worked. — yasriady, Feb 27 '21 at 01:29
in my case I had an error in the public key file (although one might think it's not needed here) - the file contained a single key split into 3 lines for some reason (probably I incorrectly copied it from an editor) — Wojtek Trelak, Nov 13 '21 at 09:28

score 37 · Answer 2 · answered Dec 05 '19 at 10:36

37

There is a simple solution if you can install and use puttygen tool. Below are the steps. You should have the passphrase of the private key.

step 1: Download latest puttygen and open puttygen

step 2: Load your existing private key file, see below image

step 3: Enter passphrase for key if asked and hit ok

step 4: as shown in the below image select "conversion" menu tab and select "Export OpenSSH key"

Save new private key file at preferred location and use accordingly.

answered Dec 05 '19 at 10:36

PradeepNama

511
6
6

5

I got the `load pubkey invalid format` warning, when I exported the key with **Export OpenSSH key**. It went away when using **Export OpenSSH key (force new file format)**. – elsamuko Jul 27 '20 at 06:51
In linux, `apt install putty-tools` or `yum install putty` then `sudo puttygen private.ppk -O private-openssh-new -o private.pem` – Typel Nov 11 '20 at 21:01

score 14 · Answer 3 · answered Jun 28 '20 at 03:48

TL;DR: also ensure that your id_rsa.pub is in ascii / UTF-8.

I had the same problem, however the accepted answer alone did not work because of the text encoding, which was an additional, easy-to-miss issue.

When I run

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

in Windows PowerShell, it saves the output to id_rsa.pub in UTF-16 LE BOM encoding, not in UTF-8. This is a property of some installations of PowerShell, which was discussed in Using PowerShell to write a file in UTF-8 without the BOM. Apparently, OpenSSH does not recognise the former text encoding and produces an identical error:

key_load_public: invalid format

Copying and pasting the output of ssh-keygen -f ~/.ssh/id_rsa -y into a text editor is the simplest way to solve this.

P.S. This could be an addition to the accepted answer, but I don't have enough karma to comment here yet.

As you discovered, piping works differently in Powershell. You would use `ssh-keygen -f ~/.ssh/id_rsa -y | ac ~/.ssh/id_rsa.pub` instead. — samthecodingman, Sep 15 '20 at 12:54

score 8 · Answer 4 · answered Mar 16 '18 at 08:53

8

In the case you copy your public key with clipboard and paste it, it may happen the public key string can be broken which contains new-line.

Make sure your public key string formed as one line.

answered Mar 16 '18 at 08:53

Hojin Choi

96
1
2

Jay Teli · Answer 5 · 2022-02-18T19:49:43.690

8

Generate id_rsa and id_rsa.pub files using the below command :

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Then :

1) Place file in id_rsa.pub into ~/.ssh/id_rsa.pub

2) sudo chmod 600 ~/.ssh/id_rsa.pub

3) Place file id_rsa into ~/.ssh/id_rsa

Now ~/.ssh contains two files..~/.ssh/id_rsa.pub and ~/.ssh/id_rsa

4) ssh-add  ~/.ssh/id_rsa

5) Enter the passphrase entered during creation of id_rsa

Output :

Identity added: /home/jay/.ssh/id_rsa (/home/jay/.ssh/id_rsa)

Now you can push pull without entering username password

edited Feb 18 '22 at 19:49

answered Feb 09 '22 at 13:33

Jay Teli

530
1
11
19

1

This was really helpful. Had to place both files in same folder. – Giddy Naya Apr 29 '22 at 22:17

score 7 · Answer 6 · answered Mar 17 '17 at 17:48

7

It seems that ssh cannot read your public key. But that doesn't matter.

You upload your public key to github, but you authenticate using your private key. See e.g. the FILES section in ssh(1).

answered Mar 17 '17 at 17:48

Roland Smith

42,427
3
64
94

2

In short, go to putty key gen, click conversions -> open ssh key and save that to id_rsa - make sure your HOME env variable is pointing to the .ssh folder you are looking at, delete all other copies of id_rsa file from your system – Kalpesh Soni Aug 03 '18 at 22:17
This answer is the solution for me. See the same answer at [ssh key_load_public: invalid format warning](https://unix.stackexchange.com/a/590649/442338). You should rename or remove the public key on the client, as it is not needed anyway on the client, and it seems to be checked as a private key because it is named the same (just with extension ".pub"). – questionto42 Mar 13 '21 at 14:16

uvsmtid · Answer 7 · 2020-10-04T09:17:22.140

The error is misleading - it says "pubkey" while pointing to a private key file ~/.ssh/id_rsa.

In my case, it was simply a missing public key (as I haven't restored it from a vault).

DETAILS

I used to skip deploying ~/.ssh/id_rsa.pub by automated scripts.

All ssh usages worked, but the error made me think of a possible mess.

Not at all - strace helped to notice that the trigger was actually the *.pub file:

strace ssh example.com
...
openat(AT_FDCWD, "/home/uvsmtid/.ssh/id_rsa.pub", O_RDONLY) = -1 ENOENT (No such file or directory)
...
write(2, "load pubkey \"/home/uvsmtid/.ssh/"..., 57) = 57
load pubkey "/home/uvsmtid/.ssh/id_rsa": invalid format

score 3 · Answer 8 · answered Jul 06 '21 at 16:02

Adding SSH-KEY in Git-hub: Windows

Type this in cmd: ssh-keygen -t ed25519 -C "your-email-id"

Go to C:\Users\your-name\.ssh

There you will get a file: id_ed25519.pub

open that file , copy that , go to github->setting->keys->ssh-key->new SSH Key

There paste your copied key

Done!!

score 2 · Answer 9 · answered Jul 20 '18 at 18:11

2

Instead of directly saving the private key Go to Conversions and Export SSh Key. Had the same issue and this worked for me

answered Jul 20 '18 at 18:11

Jignesh Rawal

521
6
17

score 2 · Answer 10 · answered Aug 18 '20 at 09:35

If you're using Windows 10 with the built-in SSH, as of August 2020 it only supports ed25519 keys. You'll get the key_load_public: invalid format error if you use e.g. an RSA key.

As per this GitHub issue it should be fixed via Windows Update some time in 2020. So one solution is to just wait for the update to ship.

If you can't wait, a workaround is to generate a new ed25519 key, which is good advice anyway.

> ssh-keygen -o -a 100 -t ed25519

You can use it with e.g. github, but some older systems might not support this newer format.

After generating your key, if you're using either of the below features, don't forget to update them!

~\.ssh\config might still point to the old key.
Add the new key to ssh-agent via the ssh-add command

score 1 · Answer 11 · answered Sep 24 '18 at 17:26

1

I had the same warning. It was a very old key. I regenerated a key on the current OpenSSH 7, and the error was gone.

answered Sep 24 '18 at 17:26

arberg

4,148
4
31
39

score 0 · Answer 12 · answered Jun 09 '20 at 11:54

0

So, after update I had the same issue. I was using PEM key_file without extension and simply adding .pem fixed my issue. Now the file is key_file.pem.

answered Jun 09 '20 at 11:54

furang

93
1
12

score 0 · Answer 13 · answered Feb 22 '21 at 22:29

@uvsmtid Your post finally lead me into the right direction: simply deleting (actually renaming) the public key file id_rsa.pub solved the problem for me, that git was working though nagging about invalid format. Not quite sure, yet the file is not actually needed, since the pub key can be extracted from private key file id_rsa anyway.

score 0 · Answer 14 · answered Mar 16 '21 at 02:47

I had a similar error Load key "/root/.ssh/id_rsa": invalid format when I tried

RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa &&     chmod 600 /root/.ssh/id_rsa

This led to errors like identity file /root/.ssh/id_rsa type -1 invalid format and read_passphrase: can't open /dev/tty.

The right way would be to use

COPY id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa

The solution explained: my private key was wrongly formatted - instead of many lines, it was passed as a one-liner, and you might have any other format issue like a forgotten "-" at the start or end, or something wrong at the end of the lines, like a missing newline format or an additional letter at the end of a line.

See Dockerfile: clone repo with passwordless private key. Errors: “authentication agent” or “read_passphrase: can't open /dev/tty” for more details, with the main idea from Add private key to ssh-agent in docker file, which again had the idea from Gitlab CI/Docker: ssh-add keeps asking for passphrase.

score 0 · Answer 15 · answered Sep 13 '22 at 16:21

I had the error to use as IdentityFile IdentityFile ~/.ssh/KEYNAME.pub instead of IdentityFile ~/.ssh/KEYNAME in

ssh does not check those things in a user-friendly way, even though the config is wrong and not the file. I checked that with ssh-keygen -l -f .ssh/KEYNAME.pub.

ssh -V was OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020.