36

I'm trying to send a file to some server using SFTP. During this process I'm getting the exception

Renci.SshNet.Common.SshException: Invalid private key file. at Renci.SshNet.PrivateKeyFile.Open(Stream privateKey, String passPhrase)

Generated the keys using PuTTYgen, shown below is an sample format of private key file. It has both the public and the private keys. 

PuTTY-User-Key-File-2: ssh-rsa  
Encryption:none  
comment: rsa-key-20190327  
Public-Lines: 4  
AAAAB.....  
......  
Private-Lines: 8  
AAAAgQ......  
.......  
Private-MAC: 54901783....

I copied the private key part from the above file in the config file and I'm accessing it as SftpKey in my code.

Got an OpenSSH format of the above key which looks like 

------BEGIN RSA PRIVATE KEY-----  
MIIE....  
.......  
------END RSA PRIVATE KEY-------

I copied only the key part from the above file and copied in my config file and ran my code. Issue was not resolved.

Below is the code i'm using for SFTP upload

var fileLength = data.Length;

var keyStr = ConfigurationManager.ConnectionStrings["SftpKey"].ConnectionString;
using (var keystrm = new MemoryStream(Convert.FromBase64String(keyStr)))
{
    var privateKey = new PrivateKeyFile(keystrm);
    using (var ftp = new SftpClient(_ftpServer, _ftpUser, new[] { privateKey }))
    {
        ftp.ErrorOccurred += ErrorOccurred;
        ftp.Connect();
        ftp.ChangeDirectory(_ftpPath);
        using (var dataStream = new MemoryStream(Encoding.UTF8.GetBytes(data)))
        {
            ftp.UploadFile(dataStream, Path.GetFileName(message.MessageId), true,
                (length) => result = fileLength == (int)length);
        }
        ftp.Disconnect();
    }
}

Is there anything wrong with the code or what could be the issue? Any help is much appreciated.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Konduri Vikram
  • 360
  • 1
  • 3
  • 9

3 Answers3

52

As this is the top answer for that error message, so I think it's worthwhile expanding on a point in your original question - converting to an OpenSSH format key.

Renci.SshNet can't use PuTTY keys that start with: 

PuTTY-User-Key-File-2: ssh-rsa

You can use puttygen.exe to convert to the OpenSSH format

  1. load your key file in puttygen.exe
  2. Conversions > Export OpenSSH key (not the "force new file format" option)

This will make a key that starts with:

-----BEGIN RSA PRIVATE KEY-----

and that will work

Matt Kemp
  • 2,742
  • 2
  • 28
  • 38
  • This might be a useful comment to the question, but it's definitely not the answer to this question. This is covered for example in [Authentication with PPK key in SSH.NET](https://stackoverflow.com/q/43176931/850848). – Martin Prikryl Aug 28 '19 at 05:30
16

I copied only the key part from the above file

You need to have complete key file in the MemoryStream. And exactly as in the file (as if you were using FileStream with your text key file). So no Convert.FromBase64String.

var keyStr = @"-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEAiCYlBq7NITBpCCe48asfXKMpnJJJK+7FQj6wIRJCNuBk76tL
jNooDDPPrnrE9VKxRds4olPftjRj87s9gjm4EirbvijZ9PoDlW9CWFhjJPwCPJpA
onkhaiA7SV+abRDQHm/lst5Fk9tzl+DZcS/EleilGDV7rCYEP692UJRsi3GvzngQ
dpRvVvO4o2rXnEkdp+254KHsah0pSxri23+jqbxPguHKGIMylrswokMI0QKcfm+1
/pjrV64EQCxli3i2yPl4WVh/QaNyHMKoze/WN00Pia99QhE1Rm3YCCarFWFeX+R5
7LgIUhtrE7vZGvimfZN7oBdR2pEq10PIc+8q9QIBJQKCAQAWFAYBFW1fU/VbRLY1
Bv4qsqzNSCeKlWwYlItDohiTRvucfKR3tKyMW23JRFdKYG/GI4yks6e8roy/vX+Y
k7z8BvMzl+v+NmFyLbe7TJp0sz6iCy0TbZa3Q388VLFCHmbwLdI4rmwl0I9JD7SO
5SbMM5BkymcU/z71khMvqV21vym5Ge/ApvX0K0XNJs/N/OLnX46Z8taYEyTmreSR
rxAbma4I5BhqXbH0CMOI5u8zCyycghytl5sYyMr+LIWQKWLzQU+mPNN0qIy0pO5t
r8lGNJh5Lnmu1lQw9yAGo2IPPIERP90X64pVrteIjPtt30n87bWDS8gOiam8S/qk
2ZJVAoGBAPZi6E/KpYpzYGKPAfialu0QN1X7uFio1MUmDum+phk5+xeQb/VvlP6Y
d+/o03EMnhvUsop9p7E2CwLZfT6DO7x3LKtumfceq5dPE5hQSWXi9RkBhcOJaZvZ
z+36c8N8iSZZzlxdA5TeDTUqtuVli4HLrcsXaAaVMxEr/G2JwUgTAoGBAI12Gnoy
k/gsiHz4pDLgxWQE6R8vkBMXfQCWhkzvzKca4twQ8z4ZAb/yt+BCiioJn5g58CVS
dP2zd3Lx8e9kkxggZLcUR3Ao6HceYKeD6mx4vkpHiyCtKJI+qfnkw2A64xwbtvTR
h/O5Aq90SjqP4YcaK9E0W/mWYoL3ctFG8DHXAoGBAKZ6LkPARlag+++RDytvXw7h
cX9JN15/6bWkF+oLMfVehw/r+J7qh0Q9gXiWZVo49TVmM3JU5u1b3e0rKxxmgk7o
vVE85JI3UVhl3M6yyc84fBfQmKa2ytEWoT/uaeTzR+l68zd9Hhh6W/N9udlEnIgh
1kr0I7FruriTV4hIUinHAoGASKRudhn49Q/zD73zdBKO4FWMd8xQ5zWTN6c+C9UW
EJ8ajK7CGPgVp8HUC2BwdnOk+ySrwCNsgkdm2ik3DDqQuVy+GNMP7XzKZq68Av6N
IvHlLQ/7VfgN6jvavpgRTRdSB4Pafbe0hBLltAtItknig6WnzEtR0zGMiHE69dhR
1GcCgYBckoyMXpT0HzOjLXWClSiIaDDfgGcmgEKbYJ7c3mncjLinbCVFdJ0UcrqJ
tiauWBvmecAhnJvQGnmInawNUHetAgJoCbqd7cckjI8VtBgHlQyT93wo9fSDz0Kt
dDHspRvVQkhiR/6IWz1PtCT0QGrHP8fJq/PCbLnJf/EJqJv/xA==
-----END RSA PRIVATE KEY-----
";

using (var keystrm = new MemoryStream(Encoding.ASCII.GetBytes(keyStr)))
{
    var privateKey = new PrivateKeyFile(keystrm);
}

Actually with the earlier code i was showing there is an existing implementation where the file is successfully sent.

Then your connection string does not contain what you claim. Check the implementation of PrivateKeyFile.Open. It explicitly checks that the stream starts with ---- BEGIN ... PRIVATE KEY. If not, it throws "Invalid private key file."

It's actually probably even impossible (or difficult) to store multi-line contents into the connection string. If your code ever worked, it must be because your SftpKey connection strings contain a complete key file (including the BEGIN ... PRIVATE KEY envelope) but encoded (again) in Base64 encoding (as a single line). Like this:

Convert.ToBase64String(File.ReadAllBytes(@"C:\path\to\key"))

Which will give you string like:

LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRW9RSUJBQUtDQVFFQWlDWWxCcTdOSVRCcENDZTQ4YXNmWEtNcG5KSkpLKzdGUWo2d0lSSkNOdUJrNzZ0TA0Kak5vb0REUFBybnJFOVZLeFJkczRvbFBmdGpSajg3czlnam00RWlyYnZpalo5UG9EbFc5Q1dGaGpKUHdDUEpwQQ0Kb25raGFpQTdTVithYlJEUUhtL2xzdDVGazl0emwrRFpjUy9FbGVpbEdEVjdyQ1lFUDY5MlVKUnNpM0d2em5nUQ0KZHBSdlZ2TzRvMnJYbkVrZHArMjU0S0hzYWgwcFN4cmkyMytqcWJ4UGd1SEtHSU15bHJzd29rTUkwUUtjZm0rMQ0KL3BqclY2NEVRQ3hsaTNpMnlQbDRXVmgvUWFOeUhNS296ZS9XTjAwUGlhOTlRaEUxUm0zWUNDYXJGV0ZlWCtSNQ0KN0xnSVVodHJFN3ZaR3ZpbWZaTjdvQmRSMnBFcTEwUEljKzhxOVFJQkpRS0NBUUFXRkFZQkZXMWZVL1ZiUkxZMQ0KQnY0cXNxek5TQ2VLbFd3WWxJdERvaGlUUnZ1Y2ZLUjN0S3lNVzIzSlJGZEtZRy9HSTR5a3M2ZThyb3kvdlgrWQ0Kazd6OEJ2TXpsK3YrTm1GeUxiZTdUSnAwc3o2aUN5MFRiWmEzUTM4OFZMRkNIbWJ3TGRJNHJtd2wwSTlKRDdTTw0KNVNiTU01Qmt5bWNVL3o3MWtoTXZxVjIxdnltNUdlL0FwdlgwSzBYTkpzL04vT0xuWDQ2Wjh0YVlFeVRtcmVTUg0KcnhBYm1hNEk1QmhxWGJIMENNT0k1dTh6Q3l5Y2doeXRsNXNZeU1yK0xJV1FLV0x6UVUrbVBOTjBxSXkwcE81dA0KcjhsR05KaDVMbm11MWxRdzl5QUdvMklQUElFUlA5MFg2NHBWcnRlSWpQdHQzMG44N2JXRFM4Z09pYW04Uy9xaw0KMlpKVkFvR0JBUFppNkUvS3BZcHpZR0tQQWZpYWx1MFFOMVg3dUZpbzFNVW1EdW0rcGhrNSt4ZVFiL1Z2bFA2WQ0KZCsvbzAzRU1uaHZVc29wOXA3RTJDd0xaZlQ2RE83eDNMS3R1bWZjZXE1ZFBFNWhRU1dYaTlSa0JoY09KYVp2Wg0KeiszNmM4TjhpU1paemx4ZEE1VGVEVFVxdHVWbGk0SExyY3NYYUFhVk14RXIvRzJKd1VnVEFvR0JBSTEyR25veQ0Kay9nc2lIejRwRExneFdRRTZSOHZrQk1YZlFDV2hrenZ6S2NhNHR3UTh6NFpBYi95dCtCQ2lpb0puNWc1OENWUw0KZFAyemQzTHg4ZTlra3hnZ1pMY1VSM0FvNkhjZVlLZUQ2bXg0dmtwSGl5Q3RLSkkrcWZua3cyQTY0eHdidHZUUg0KaC9PNUFxOTBTanFQNFljYUs5RTBXL21XWW9MM2N0Rkc4REhYQW9HQkFLWjZMa1BBUmxhZysrK1JEeXR2WHc3aA0KY1g5Sk4xNS82YldrRitvTE1mVmVody9yK0o3cWgwUTlnWGlXWlZvNDlUVm1NM0pVNXUxYjNlMHJLeHhtZ2s3bw0KdlZFODVKSTNVVmhsM002eXljODRmQmZRbUthMnl0RVdvVC91YWVUelIrbDY4emQ5SGhoNlcvTjl1ZGxFbklnaA0KMWtyMEk3RnJ1cmlUVjRoSVVpbkhBb0dBU0tSdWRobjQ5US96RDczemRCS080RldNZDh4UTV6V1RONmMrQzlVVw0KRUo4YWpLN0NHUGdWcDhIVUMyQndkbk9rK3lTcndDTnNna2RtMmlrM0REcVF1VnkrR05NUDdYektacTY4QXY2Tg0KSXZIbExRLzdWZmdONmp2YXZwZ1JUUmRTQjRQYWZiZTBoQkxsdEF0SXRrbmlnNlduekV0UjB6R01pSEU2OWRoUg0KMUdjQ2dZQmNrb3lNWHBUMEh6T2pMWFdDbFNpSWFERGZnR2NtZ0VLYllKN2MzbW5jakxpbmJDVkZkSjBVY3JxSg0KdGlhdVdCdm1lY0Fobkp2UUdubUluYXdOVUhldEFnSm9DYnFkN2Nja2pJOFZ0QmdIbFF5VDkzd285ZlNEejBLdA0KZERIc3BSdlZRa2hpUi82SVd6MVB0Q1QwUUdySFA4ZkpxL1BDYkxuSmYvRUpxSnYveEE9PQ0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0NCg==
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
1

The same error can also occur if the private key is incorrectly formatted such as being squashed onto a single line whereby it will not match the regular expression at https://github.com/sshnet/SSH.NET/blob/develop/src/Renci.SshNet/PrivateKeyFile.cs#L156

The private key format must be over multiple lines wrapping at 80 cols. https://github.com/sshnet/SSH.NET/blob/develop/src/Renci.SshNet/PrivateKeyFile.cs#L68 - the expression contains "{1,80}".

In my case the private key is not protected with a passphrase so I was able to use the following code to correctly reformat it; reintroducing the newlines; before constructing the memory stream.

// PEM Format Private Key substituting newlines with a space
var privateKeyString = @"-----BEGIN RSA PRIVATE KEY----- line1 line2 line3 -----END RSA PRIVATE KEY-----";

// Group 1: "-----BEGIN RSA PRIVATE KEY-----"
// Group 2: " line1 line2 line3 "
// Group 3: "-----END RSA PRIVATE KEY-----"
var regex = new Regex(@"^\s*(-+[^-]+-+)([^-]+)(-+[^-]+-+)");
var matches = regex.Match(privateKeyString);
var formatted = string.Concat(
    matches.Groups[1].Value,
    matches.Groups[2].Value.Replace(" ", "\r\n"),
    matches.Groups[3].Value);

// ASCII encoding is fine because we're dealing with the base64 alphabet.
var ms = new MemoryStream(Encoding.ASCII.GetBytes(formatted));
var privateKeyFile = new PrivateKeyFile(ms);
Ryan Williams
  • 1,465
  • 15
  • 19
  • But how did you get a key formatted that way in the first place? – Martin Prikryl Oct 25 '22 at 05:24
  • @MartinPrikryl, Thanks for feedback; I've edited solution to explain that it was a PEM Format Private Key substituting newlines with a space. – Ryan Williams Oct 25 '22 at 07:21
  • That does not really answer my question. How did you get that format? – Martin Prikryl Oct 25 '22 at 08:59
  • If you're talking about the format of privateKeyString.... `SOME_KEY=$(ssh-keygen -t rsa -b 2048 -f temp.key -N "" -q; cat temp.key; rm -f temp.key)` `SOME_KEY_ON_ONE_LINE=$(echo "${SOME_KEY}" | tr "\n" " ")` – Ryan Williams Oct 26 '22 at 09:37
  • @MartinPrikryl, I grabbed the Regex `^-+ *BEGIN (?\w+( \w+)*) PRIVATE KEY *-+\r?\n((Proc-Type: 4,ENCRYPTED\r?\nDEK-Info: (?[A-Z0-9-]+),(?[A-F0-9]+)\r?\n\r?\n)|(Comment: ""?[^\r\n]*""?\r?\n))?(?([a-zA-Z0-9/+=]{1,80}\r?\n)+)-+ *END \k PRIVATE KEY *-+` from https://github.com/sshnet/SSH.NET/blob/develop/src/Renci.SshNet/PrivateKeyFile.cs#L68 and used https://regexr.com/ to work out why my private key was failing to match the expression. – Ryan Williams Oct 26 '22 at 09:51
  • Ok, so do I understand right that you deliberately broke the format of the key? – Martin Prikryl Oct 31 '22 at 08:30
  • @MartinPrikryl In my case I pasted the key into an application which did not support multiple lines so that application altered the format of the key to replace the newlines with spaces. Upon discovering the accepted answer in this post; I dug a little deeper and found the regex in the implementation at github.com/sshnet/SSH.NET requires the key to contain new lines. So did I break the format? Yes but not deliberately. – Ryan Williams Nov 01 '22 at 10:21