Error loading key dev fd 63 invalid format

Here is my code giltlab-ci.yml :

 before_script:
  ##
  ## Install ssh-agent if not already installed, it is required by Docker.
  ## (change apt-get to yum if you use an RPM-based image)
  ##
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'

  ##
  ## Run ssh-agent (inside the build environment)
  ##
  - eval $(ssh-agent -s)
  ##
  ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
  ## We're using tr to fix line endings which makes ed25519 keys work
  ## without extra base64 encoding.
  ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
  ##
  - mkdir -p ~/.ssh
  #- echo -n "$PROJECT_SSH_KEY" | ssh-add - >/dev/null
  - echo "$PROJECT_SSH_KEY"
  - ssh-add <(echo "$PROJECT_SSH_KEY")
  - '[[ -f /.dockerenv ]] && echo -e "Host *ntStrictHostKeyChecking nonn" > ~/.ssh/config'
      ##
  ## Create the SSH directory and give it the right permissions
  ##
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

  ##
  ## Optionally, if you will be using any Git commands, set the user name and
  ## and email.
  ##
  #- git config --global user.email "user@example.com"
  #- git config --global user.name "User name"

I get this out put

Running with gitlab-runner 11.8.0 (4745a6f3)
on Allence-Tunisie-docker-runner sH47eTgb
Using Docker executor with image ntfactory/ci-tool:0.0.2 …
Pulling docker image ntfactory/ci-tool:0.0.2 …
Using docker image sha256:7fe7b170806f6846271eec23b41c4f79202777f62c0d7a32165dc41722900979
for ntfactory/ci-tool:0.0.2 …
Running on runner-sH47eTgb-project-11060727-concurrent-0 via a732493b4b94…
Cloning repository…
Cloning into ‘/builds/allence-tunisie/e-formation’…
Checking out 0a6b48ef as feat/gitlab-ci…
Skipping Git submodules setup
Checking cache for default…
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.
Successfully extracted cache
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 12
$ mkdir -p ~/.ssh
$ echo «$SSH_PRIVATE_KEY» | tr -d ‘r’ | ssh-add — > /dev/null
Error loading key «(stdin)»: invalid format
ERROR: Job failed: exit code 1

even though i tried — echo «$SSH_PRIVATE_KEY» | tr -d ‘r’ | ssh-add
— > /dev/null i get this error

Error loading key «(stdin)»: invalid format

asked Mar 18, 2019 at 14:25

If you have protected the variable then you need to have a protected branch. As mentioned in the variables settings — «They can be protected by only exposing them to protected branches or tags.»

As mentioned in this thread on GitLab’s bug tracker, the issue can arise when carriage return characters (r) are added to the variable (a.k.a. «secret»). This can be worked around by piping to tr -d "r" to delete these characters, leaving the SSH key correctly formed.

An example in your CI would be:

ssh-add <(echo "${SSH_priv_key_b64}" | base64 --decode | tr -d "r")

Note that base 64 encoding is necessary to use an SSH key with the «masked» and «protected» properties.

answered Nov 1, 2021 at 16:18

The documentation says that they have fixed the error. This is the new way to do it.

  ##
  ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
  ## We're using tr to fix line endings which makes ed25519 keys work
  ## without extra base64 encoding.
  ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
  ##

  - echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add -

answered Apr 7, 2022 at 19:06

answered May 16, 2022 at 0:58

I got this error from a silly mistake!- in my GitLab project settings, the Type for my variable was set to File instead of Variable.

And so, changing the Type from File to Variable fixed this for me.

answered Aug 26, 2022 at 4:53

Step by step:

1. Generate ssh key info about generation

ssh-keygen -t ed25519 -C "<comment>"

1. Encode PRIVATE_KEY

cat /root/.ssh/id_rsa | base64 -w0
# OR
echo "-----BEGIN OPENSSH..." | base64 -w0

1. On gitlab, go to your repository > settings > CI/CD > Variables and add your variable with encoded value (also you can switch «protected variable flag»)

2. In you .gitlab-ci.yml add decoding pipe

- ssh-add <(echo "$SSH_KEY" | base64 -d)

1. That’s all.

But if you will have «Permission denied, please try again.» error after all — try my answer here

answered Oct 29, 2022 at 22:51

You must gen RSA key not OPENSSH Key. Use param «-m PEM» (ssh-keygen -m PEM) to generate RSA Key will start with ——BEGIN RSA PRIVATE KEY—— and end with ——END RSA PRIVATE KEY——

For me I protected branch and tags , and then I finally did it without any errors.

130s

added a commit
to plusone-robotics/industrial_ci
that referenced
this issue

Nov 6, 2021

130s

added a commit
to plusone-robotics/industrial_ci
that referenced
this issue

Nov 18, 2021

So a while ago I set up a server on AWS, and used their generated SSH key. I saved the key to Lastpass, and have successfully retrieved it from there before, and got it working. However, after trying that again today, I can’t get it to work.

-rw------- 1 itsgreg users 1674 Jun 6 12:51 key_name

I’ve tried ssh -i key_name, ssh-keygen -f key_name, but nothing works, I always get this error message:

Load key "key_name": invalid format

Is there any way to fix this?

asked Jun 6, 2017 at 12:06

Check the contents of key_name, if the agent says invalid format, then there’s something wrong with the key — like .. are you sure that’s the correct key? Even if it’s not the private key you need, the ssh agent won’t return invalid format if the key is working, you simply won’t be able to connect. You might have placed your public key in there, for some reason. Check it!

Use your private key instead of the public key.

I’ve faced with the compatibility issue in Win32-OpenSSH 8.1.

None of the answers here worked for me so I found my own way: convert key to the new format using PuTTYgen utility.

1. Run fresh version of puttygen
2. Open the key (Conversions > Import key). Enter passphrase.
3. Save key in new OpenSSH format (Conversions > Export OpenSSH key (force new file format))

answered Nov 18, 2020 at 18:17

I started seeing this problem when I upgraded to Ubuntu 20.10. It uses OpenSSH_8.3p1.

I fixed it using:

ssh-keygen -y -f mykey.pem > mykey.pem.pub

Confusingly, the error says «pubkey» while pointing to a private key file.

A missing public key file (or other problems with it) causes this error — see this answer for details.

answered Oct 3, 2020 at 9:47

You are logging with the wrong user

In my case, I was trying to connect to an Amazon AWS EC2 instance, but getting the error

load pubkey "MyPrivateKey.pem": invalid format

This was because I was trying to log with the wrong user (ec2-user)

I was using an Ubuntu machine, with user ubuntu instead of ec2-user (as is stated on the official Amazon Linux server OS).

But why that error?

It turns out Amazon uses an old format (puttygen says upon loading «openssh ssh-2 private key (old pem format)») that openssh doesn’t like very much, so it is really a warning and not an error.

The real error (there is no such user on that server) is hidden by the server (otherwise you could brute force login names), but instead a «Connection closed» is shown.

You can find the name you use to connect to your machine on AWS under Actions>Connect.

How to fix the warning?

Just follow the answer of «Ras», which is, use PuTTYgen to convert to the OpenSSH format.

I got this error when I use my public key with ssh-add. I should have used the private key. The public key can cause this error.

ssh-add rsakey.pub
Error loading key "rsakey.pub": invalid format

However, this is fine:

ssh-add rsakey

answered Jan 13, 2021 at 18:35

In my case the problem was that the private key was in the following format:

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

whereas the SSH server expected the following format:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

answered Feb 1, 2021 at 14:48

I was having this problem with Mac OSX 11.4 and ssh version OpenSSH_8.1p1, LibreSSL 2.7.3. I tried all of the other solutions and nothing worked (i.e., I regenerated keys, tried newlines etc.).

Then I read this on the GitHub docs and by adding the following to my ~/.ssh/config I no longer got the error

Host *
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_rsa

answered Aug 1, 2021 at 0:07

answered Feb 12, 2019 at 8:51

answered Feb 15, 2019 at 3:01

This is also the error ssh (at least some versions) emits if you have a passphrase on your private key, and enter the passphrase wrong when you attempt to connect.

(In particular, this happened to me with:
OpenSSH_7.6p1, LibreSSL 2.6.2,
which is the built-in SSH for Mac OS X 10.13.6 .)

So double-check that you’re using the right passphrase, and that CAPS LOCK is off.

answered Feb 15, 2019 at 3:31

answered Mar 24, 2020 at 13:02

For anyone who has tried sudo puttygen ~/.ssh/your-key.pem -O private-openssh -o ~/.ssh/your-key-new.pem and got an error message saying puttygen: this command would perform no useful action there is an even newer format so you need to amend the command as follows:

sudo puttygen ~/.ssh/your-key.pem -O private-openssh-new -o ~/.ssh/your-key-new.pem

I was using a key generated by AWS on Manjaro which is a bit more bleeding edge than most other distros, still worked but the warning message was annoying.

For more info you can use man puttygen but the relevent section is below:

  -O output-type
    Specify the type of output you want puttygen to produce. Acceptable options are:

    private
      Save the private key in a format usable by PuTTY. This will either be the standard SSH-1 key format, or PuTTY's own SSH-2 key format.

    public Save  the  public key only. For SSH-1 keys, the standard public key format will be used (`1024 37 5698745...'). For SSH-2 keys, the public key will be output in the format specified by
      RFC 4716, which is a multi-line text file beginning with the line `---- BEGIN SSH2 PUBLIC KEY ----'.

    public-openssh
      Save the public key only, in a format usable by OpenSSH. For SSH-1 keys, this output format behaves identically to public. For SSH-2 keys, the public key will be output in the  OpenSSH
      format, which is a single line (`ssh-rsa AAAAB3NzaC1yc2...').

    fingerprint
      Print the fingerprint of the public key. All fingerprinting algorithms are believed compatible with OpenSSH.

    private-openssh
      Save an SSH-2 private key in OpenSSH's format, using the oldest format available to maximise backward compatibility. This option is not permitted for SSH-1 keys.

    private-openssh-new
      As private-openssh, except that it forces the use of OpenSSH's newer format even for RSA, DSA, and ECDSA keys.

    private-sshcom
      Save an SSH-2 private key in ssh.com's format. This option is not permitted for SSH-1 keys.

    If no output type is specified, the default is private.

answered Aug 9, 2020 at 13:20

I did something like the information here
https://github.com/marketplace/actions/webfactory-ssh-agent

SSH Private Key Format
If the private key is not in the PEM format, you will see an Error loading key «(stdin)»: invalid format message.

Use ssh-keygen -p -f path/to/your/key -m pem to convert your key file to PEM, but be sure to make a backup of the file first 😉.

It solved my issue.

answered Aug 17, 2021 at 4:24

If you are on windows using Cygwin, Gitbash, MSYS or similar tools, try to start your command in elevated mode (run as administrator).

I had to do this to re-export the public key file.
If you are using .ssh/config file, make sure that the private key file is referenced there IdentityFile ~/.ssh/id_rsa.

Creating your private key file using puttygen will lead to similar error messages too, use OpenSSH to generate your private-public key-pair.

Using the public key file (~/.ssh/id_rsa.pub) as your identity file (IdentityFile in .ssh/config) will cause misleading error messages like

• invalid format
• connection timeout

answered Oct 11, 2021 at 12:33

TL;DR

FWIW, I ran into this problem today.

I never figured out what the new install of Win32 «portable openssh» 8.0.p1 didn’t like about the key files — I just created new keys and added them to github and gitlab:

ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:Usersmburr.sshgithub.mburr-precor.key-2.id_rsa

Details

I had a working install of OpenSSH from the https://github.com/PowerShell/openssh-portable project (as installed by Chocolatey). But a few days ago I had to perform a «repair install» of Windows and therefore had to reinstall OpenSSH.

After that my keys used to authenticate to github and gitlab would no longer work giving the «invalid format» error. These were the identical key files that had been on the system before (the Repair Reinstall didn’t remove those files).

I found no problems with line endings (all LF and an LF at the end of the file). The keys worked on a Linux system — and I later found that they worked with the OpenSSH included with Git for Windows v2.33.1.

 using the Win32 "portable OpenSSH" (from https://github.com/PowerShell/openssh-portable as installed by Chocolatey)
# Private key file error: "invalid format"
#

C:devtrees>"c:Program FilesOpenSSH-Win64ssh.exe" -V
OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5

C:devtrees>"c:Program FilesOpenSSH-Win64ssh.exe" -F c:utilemptyfile -i c:usersmburr.sshgithub.mburr.id_rsa -T git@github.com
Load key "c:\users\mburr\.ssh\github.mburr.id_rsa": invalid format
git@github.com: Permission denied (publickey).


#-------------------------------------------------------
# using the OpenSSH that comes with Git for Windows v2.33.1
# No problem with the private key
#

C:devtrees>c:gitusrbinssh.exe -V
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021

C:devtrees>c:gitusrbinssh.exe -F c:utilemptyfile -i c:usersmburr.sshgithub.mburr.id_rsa -T git@github.com
Enter passphrase for key 'c:usersmburr.sshgithub.mburr.id_rsa':
Hi mburr! You've successfully authenticated, but GitHub does not provide shell access.

(emptyfile is just that. I specified it as the config file with -F to force ssh to ignore ~/.ssh/config)

I never figured out what the Win32 «portable openssh» 8.0.p1 didn’t like about the key files — I just created new keys and added them to github and gitlab:

ssh-keygen -o -t rsa -b 4096 -C "New format OpenSSH for github" -f C:Usersmburr.sshgithub.mburr-precor.key-2.id_rsa

Problem solved.

answered Oct 28, 2021 at 1:01

In my case the private key must have been added to the agent with:

ssh-add ~/.ssh/private_id_rsa

answered Mar 4, 2022 at 6:46

answered Apr 17, 2022 at 5:21