3

I'm trying to use git push with SSH remote from GitHub CI action and get an error: Load key "/tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa": invalid format

Key is in repository secret. I get its info with ssh-keygen -l -v -f key_id_rsa and its output equals to output on my local machine. From my machine I can push with this key

GIT_SSH_COMMAND='ssh -v -o StrictHostKeyChecking=accept-new -i /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa'

Thewe was the /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa.pub file

Full ssh -v inside of git push output:

+ git push dest-push-remote gh-pages
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to github.com [140.82.112.4] port 22.
debug1: Connection established.
debug1: SELinux support disabled
debug1: identity file /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa type 0
debug1: identity file /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: Remote protocol version 2.0, remote software version babeld-10d0a39d
debug1: no match: babeld-10d0a39d
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:1
Warning: Permanently added the RSA host key for IP address '140.82.112.4' to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa RSA SHA256:1xl0uMTaSpIRCnMFIGCf9zC4/CTHXPCroAk1cJIK6qY explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa RSA SHA256:1xl0uMTaSpIRCnMFIGCf9zC4/CTHXPCroAk1cJIK6qY explicit
debug1: Server accepts key: /tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa RSA SHA256:1xl0uMTaSpIRCnMFIGCf9zC4/CTHXPCroAk1cJIK6qY explicit
Load key "/tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa": invalid format
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

UPD. After discussion in comments I tried to generate new key pair on a Linux machine and it works. Problem in different formats of keys generated on the Linux machine and on a MacOS machine:

The MacOS generated key begins with BEGIN OPENSSH PRIVATE KEY. The Linux generated key begins with BEGIN RSA PRIVATE KEY. I'm investigating wat's the difference but it will be helpful if any specialist suggest me some information

andre487
  • 1,261
  • 2
  • 18
  • 27
  • I believe you're missing the important line here `git@github.com: Permission denied (publickey).`. Make sure the public key of that is in the repository's [deploy keys](https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys) with write access to it can write to the repository. – Prav May 02 '21 at 22:44
  • 1
    @PraveenPremaratne You've missed the important line here: `Load key "/tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa": invalid format` – phd May 02 '21 at 23:09
  • 1
    What is the header line for the private key (e.g., `-----BEGIN RSA PRIVATE KEY-----`)? Is it listed as being encrypted? – bk2204 May 02 '21 at 23:32
  • I checked this very key from the local machine and it works, so public key in deploy keys of repository should match it. And I printed first and last N symbols and it starts with `-----BEGIN OPENSSH PRIVATE KEY-----` and ends with `-----END OPENSSH PRIVATE KEY-----` so it doesn't looks like corrupted content – andre487 May 03 '21 at 04:17
  • In my previous comment I meant `BEGIN OPENSSH PRIVATE KEY`. After that I thought about this header. Why `OPENSSH` but not `RSA`? Then I generated new key pair on Linux machine and tryed this. And it works. Now I'm investigating why on MacOS machine `ssh-keygen` generates other key format – andre487 May 03 '21 at 04:37

1 Answers1

5

If the private key format differs, that means, as I mentioned here that:

  • one platform is using openssh prior to 7.8, with an old PEM 64-chars per line format.
  • one is using a more recent OpenSSH format, 70-chars per line.

You can force a recent openSSH to generate the old format with:

ssh-keygen -m PEM -t rsa -P "" -f afile
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250