Error loading key invalid format windows

The recent beta version of OpenSSH on Windows 10 does not accept my openssh formatted private key:

The same key works on ssh shipped with git shell from github.

Is there a format option for openssh on Windows that I’m missing or is this a bug?

asked Dec 17, 2017 at 21:04

answered Aug 21, 2021 at 1:11

try this

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_rsa -C "your email"

and catch the folder with this command

cat ~/.ssh/id_rsa.pub

hope this help.

answered May 18, 2019 at 14:09

For me, a new line at the end of the file solved the problem.

So a while ago I set up a server on AWS, and used their generated SSH key. I saved the key to Lastpass, and have successfully retrieved it from there before, and got it working. However, after trying that again today, I can’t get it to work.

-rw------- 1 itsgreg users 1674 Jun 6 12:51 key_name

I’ve tried ssh -i key_name, ssh-keygen -f key_name, but nothing works, I always get this error message:

Load key "key_name": invalid format

Is there any way to fix this?

asked Jun 6, 2017 at 12:06

Check the contents of key_name, if the agent says invalid format, then there’s something wrong with the key — like .. are you sure that’s the correct key? Even if it’s not the private key you need, the ssh agent won’t return invalid format if the key is working, you simply won’t be able to connect. You might have placed your public key in there, for some reason. Check it!

Use your private key instead of the public key.

I’ve faced with the compatibility issue in Win32-OpenSSH 8.1.

None of the answers here worked for me so I found my own way: convert key to the new format using PuTTYgen utility.

1. Run fresh version of puttygen
2. Open the key (Conversions > Import key). Enter passphrase.
3. Save key in new OpenSSH format (Conversions > Export OpenSSH key (force new file format))

answered Nov 18, 2020 at 18:17

I started seeing this problem when I upgraded to Ubuntu 20.10. It uses OpenSSH_8.3p1.

I fixed it using:

ssh-keygen -y -f mykey.pem > mykey.pem.pub

Confusingly, the error says «pubkey» while pointing to a private key file.

A missing public key file (or other problems with it) causes this error — see this answer for details.

answered Oct 3, 2020 at 9:47

You are logging with the wrong user

In my case, I was trying to connect to an Amazon AWS EC2 instance, but getting the error

load pubkey "MyPrivateKey.pem": invalid format

This was because I was trying to log with the wrong user (ec2-user)

I was using an Ubuntu machine, with user ubuntu instead of ec2-user (as is stated on the official Amazon Linux server OS).

But why that error?

It turns out Amazon uses an old format (puttygen says upon loading «openssh ssh-2 private key (old pem format)») that openssh doesn’t like very much, so it is really a warning and not an error.

The real error (there is no such user on that server) is hidden by the server (otherwise you could brute force login names), but instead a «Connection closed» is shown.

You can find the name you use to connect to your machine on AWS under Actions>Connect.

How to fix the warning?

Just follow the answer of «Ras», which is, use PuTTYgen to convert to the OpenSSH format.

I got this error when I use my public key with ssh-add. I should have used the private key. The public key can cause this error.

ssh-add rsakey.pub
Error loading key "rsakey.pub": invalid format

However, this is fine:

ssh-add rsakey

answered Jan 13, 2021 at 18:35

In my case the problem was that the private key was in the following format:

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

whereas the SSH server expected the following format:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

answered Feb 1, 2021 at 14:48

I was having this problem with Mac OSX 11.4 and ssh version OpenSSH_8.1p1, LibreSSL 2.7.3. I tried all of the other solutions and nothing worked (i.e., I regenerated keys, tried newlines etc.).

Then I read this on the GitHub docs and by adding the following to my ~/.ssh/config I no longer got the error

Host *
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_rsa

answered Aug 1, 2021 at 0:07

answered Feb 12, 2019 at 8:51

answered Feb 15, 2019 at 3:01

This is also the error ssh (at least some versions) emits if you have a passphrase on your private key, and enter the passphrase wrong when you attempt to connect.

(In particular, this happened to me with:
OpenSSH_7.6p1, LibreSSL 2.6.2,
which is the built-in SSH for Mac OS X 10.13.6 .)

So double-check that you’re using the right passphrase, and that CAPS LOCK is off.

answered Feb 15, 2019 at 3:31

answered Mar 24, 2020 at 13:02

For anyone who has tried sudo puttygen ~/.ssh/your-key.pem -O private-openssh -o ~/.ssh/your-key-new.pem and got an error message saying puttygen: this command would perform no useful action there is an even newer format so you need to amend the command as follows:

sudo puttygen ~/.ssh/your-key.pem -O private-openssh-new -o ~/.ssh/your-key-new.pem

I was using a key generated by AWS on Manjaro which is a bit more bleeding edge than most other distros, still worked but the warning message was annoying.

For more info you can use man puttygen but the relevent section is below:

  -O output-type
    Specify the type of output you want puttygen to produce. Acceptable options are:

    private
      Save the private key in a format usable by PuTTY. This will either be the standard SSH-1 key format, or PuTTY's own SSH-2 key format.

    public Save  the  public key only. For SSH-1 keys, the standard public key format will be used (`1024 37 5698745...'). For SSH-2 keys, the public key will be output in the format specified by
      RFC 4716, which is a multi-line text file beginning with the line `---- BEGIN SSH2 PUBLIC KEY ----'.

    public-openssh
      Save the public key only, in a format usable by OpenSSH. For SSH-1 keys, this output format behaves identically to public. For SSH-2 keys, the public key will be output in the  OpenSSH
      format, which is a single line (`ssh-rsa AAAAB3NzaC1yc2...').

    fingerprint
      Print the fingerprint of the public key. All fingerprinting algorithms are believed compatible with OpenSSH.

    private-openssh
      Save an SSH-2 private key in OpenSSH's format, using the oldest format available to maximise backward compatibility. This option is not permitted for SSH-1 keys.

    private-openssh-new
      As private-openssh, except that it forces the use of OpenSSH's newer format even for RSA, DSA, and ECDSA keys.

    private-sshcom
      Save an SSH-2 private key in ssh.com's format. This option is not permitted for SSH-1 keys.

    If no output type is specified, the default is private.

answered Aug 9, 2020 at 13:20

I did something like the information here
https://github.com/marketplace/actions/webfactory-ssh-agent

SSH Private Key Format
If the private key is not in the PEM format, you will see an Error loading key «(stdin)»: invalid format message.

Use ssh-keygen -p -f path/to/your/key -m pem to convert your key file to PEM, but be sure to make a backup of the file first 😉.

It solved my issue.

answered Aug 17, 2021 at 4:24

If you are on windows using Cygwin, Gitbash, MSYS or similar tools, try to start your command in elevated mode (run as administrator).

I had to do this to re-export the public key file.
If you are using .ssh/config file, make sure that the private key file is referenced there IdentityFile ~/.ssh/id_rsa.

Creating your private key file using puttygen will lead to similar error messages too, use OpenSSH to generate your private-public key-pair.

Using the public key file (~/.ssh/id_rsa.pub) as your identity file (IdentityFile in .ssh/config) will cause misleading error messages like

• invalid format
• connection timeout

answered Oct 11, 2021 at 12:33

TL;DR

FWIW, I ran into this problem today.

I never figured out what the new install of Win32 «portable openssh» 8.0.p1 didn’t like about the key files — I just created new keys and added them to github and gitlab:

ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:Usersmburr.sshgithub.mburr-precor.key-2.id_rsa

Details

I had a working install of OpenSSH from the https://github.com/PowerShell/openssh-portable project (as installed by Chocolatey). But a few days ago I had to perform a «repair install» of Windows and therefore had to reinstall OpenSSH.

After that my keys used to authenticate to github and gitlab would no longer work giving the «invalid format» error. These were the identical key files that had been on the system before (the Repair Reinstall didn’t remove those files).

I found no problems with line endings (all LF and an LF at the end of the file). The keys worked on a Linux system — and I later found that they worked with the OpenSSH included with Git for Windows v2.33.1.

 using the Win32 "portable OpenSSH" (from https://github.com/PowerShell/openssh-portable as installed by Chocolatey)
# Private key file error: "invalid format"
#

C:devtrees>"c:Program FilesOpenSSH-Win64ssh.exe" -V
OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5

C:devtrees>"c:Program FilesOpenSSH-Win64ssh.exe" -F c:utilemptyfile -i c:usersmburr.sshgithub.mburr.id_rsa -T git@github.com
Load key "c:\users\mburr\.ssh\github.mburr.id_rsa": invalid format
git@github.com: Permission denied (publickey).


#-------------------------------------------------------
# using the OpenSSH that comes with Git for Windows v2.33.1
# No problem with the private key
#

C:devtrees>c:gitusrbinssh.exe -V
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021

C:devtrees>c:gitusrbinssh.exe -F c:utilemptyfile -i c:usersmburr.sshgithub.mburr.id_rsa -T git@github.com
Enter passphrase for key 'c:usersmburr.sshgithub.mburr.id_rsa':
Hi mburr! You've successfully authenticated, but GitHub does not provide shell access.

(emptyfile is just that. I specified it as the config file with -F to force ssh to ignore ~/.ssh/config)

I never figured out what the Win32 «portable openssh» 8.0.p1 didn’t like about the key files — I just created new keys and added them to github and gitlab:

ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:Usersmburr.sshgithub.mburr-precor.key-2.id_rsa

Problem solved.

answered Oct 28, 2021 at 1:01

In my case the private key must have been added to the agent with:

ssh-add ~/.ssh/private_id_rsa

answered Mar 4, 2022 at 6:46

answered Apr 17, 2022 at 5:21

In my case, the problem was caused by incorrect end of line characters in id_rsa file. After copying file content, Windows text editor wanted to help me and converted EOLs to CR LF.

In my case, I just copied id_rsa private key but not the public part id_rsa.pub. It worked but complained with ‘invalid format’ each time I did server operations.
Copying id_rsa.pub as well solved the problem.

answered Aug 24, 2020 at 0:20

I was struggling with this issue and it ended up being extra newlines before and after the
-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines respectively;
removing them fixed it and now works fine.

hernandanielg@laptop:~$ diff -c id_rsa .ssh/id_rsa

  *** id_rsa    2022-04-26 06:41:51.650982783 -0500
  --- .ssh/id_rsa   2022-04-26 06:39:47.971676083 -0500
  ***************
  *** 1,5 ****
    -----BEGIN RSA PRIVATE KEY-----
  - 
    Proc-Type: 4,ENCRYPTED
    
  --- 1,4 ----
  ***************
  *** 52,56 ****
    somehash
  - 
    -----END RSA PRIVATE KEY-----
  --- 51,54 ----

SSHing into my system succeeds but even without the -v flag I get key_load_public: invalid format message. Below is the output w/ using the verbose flag.

Specifically

debug1: key_load_public: No such file or directory
debug1: identity file /home/myname/.ssh/private_rsa_key-cert type -1

seems to be the problem as I don’t have such a file. However, I checked w/ another system and I also get the same two above lines. However there is no key_load_public: invalid format before that, which is what I actually want to get rid of. Permissions on the authorized_keys file on both remote systems looks the same, permissions on the private_keys look the same too.

    $ ssh -v desired_host
    OpenSSH_7.2p2, OpenSSL 1.0.2g  1 Mar 2016
    debug1: Reading configuration data /home/myname/.ssh/config
    debug1: /home/dli/.ssh/config line 16: Applying options for desired_host
    debug1: Reading configuration data /etc/ssh_config
    debug1: Connecting to desired_host [X.X.X.X] port 22.
    debug1: Connection established.
    key_load_public: invalid format
    debug1: identity file /home/myname/.ssh/private_rsa_key type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/myname/.ssh/private_rsa_key-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
    debug1: Authenticating to desired_host:22 as 'myname'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
    debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
    debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: ssh-rsa SHA256:EmG/FBK0OCXtaAqAkfHKxoXKLGiZiHUsQpObK6aWd30
    debug1: Host 'desired_host' is known and matches the RSA host key.
    debug1: Found key in /home/myname/.ssh/known_hosts:39
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/myname/.ssh/private_rsa_key
    debug1: Authentication succeeded (publickey).
    Authenticated to desired_host ([X.X.X.X]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network

asked Apr 27, 2016 at 14:37

I was having this warning msg with scp and ssh when I used the -i option. I found that cause was extra in public key file. my pub key file had 2 lines with ‘wc -l’; i deleted the extra and now it only has 1 line with ‘wc -l’ and there are no warning messages.
I should clarify that ssh and scp worked correctly with and without the warning message.

answered Jun 23, 2020 at 23:27

answered Dec 18, 2019 at 17:32