"Invalid Privatekey" When Using Jsch

Invalid privatekey when using JSch

I also stumbled upon this issue.
running Jgit on mac, for some users we saw the following exception:

org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:160)
    at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:137)
    at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:274)
    at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:169)
    at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
    at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
    at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1236)
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:234)
    ... 17 more
Caused by: com.jcraft.jsch.JSchException: invalid privatekey: [B@e4487af
    at com.jcraft.jsch.KeyPair.load(KeyPair.java:664)
    at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
    at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
    at com.jcraft.jsch.JSch.addIdentity(JSch.java:407)
    at com.jcraft.jsch.JSch.addIdentity(JSch.java:367)
    at org.eclipse.jgit.transport.JschConfigSessionFactory.getJSch(JschConfigSessionFactory.java:276)
    at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:220)
    at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:176)
    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:110)

The root cause was discovered to be the ssh private key mismatch.
The exception only happened for users with key of newer kind ed25519, which outputs this key header:

-----BEGIN OPENSSH PRIVATE KEY-----

instead of kind RSA:

-----BEGIN RSA PRIVATE KEY-----

regenerating an RSA key (ssh-keygen -t rsa), made the exception go away.

Edit following comments:
If you have OpenSSH 7.8 and above you might need to add -m PEM to the generation command:
ssh-keygen -t rsa -m PEM

JSCH - Invalid private key

I guess that your key is not in OpenSSH key file format. JSch expects the private key to be in OpenSSH format.

You can use PuTTYgen to convert your private key to work with OpenSSH by following the steps described here:

Press Load and select the Private Key that was created with
PuTTYgen.
Enter the passphrase to load the key.
From the Conversions
menu select export OpenSSH key
Save the private key.

Testing jsch on gitlab results in invalid privatekey error

As mentioned here:

Check the PPK file and ensure that there are no obvious signs of a malformation. IE. Truncations, encoding issues, etc.
Verify the line endings in the PPK file.

If you are developing a project and maintaining your code through a source code versioning system it is possible that your code gets versioned by different collaborators using different O.S. and architectures.

As each operating system handles text end of lines differently (in Linux and OSX is handled as 'LF', in Windows as CRLF), if the PPK file gets modified, the character used to determine EOL could also be modified, thus impacting the matching of the private key. In these cases, it would be important to define the EOL character to use in your source code versioning tool settings or to directly avoid tracking the PPK file modifications.

See the comments of "invalid private key when opening SSH tunnel with jsch":

At least in 0.1.53 (and I doubt this would be removed) it does read PPK (in addition to OpenSSL PEMs = non-newfmt OpenSSH and several others) but only with Windows-type EOL (CR LF).

Did you copy your PPK to the affected system by a method that can change EOLs such as pasting to an editor or FTP TYPE A?

That or use a PEM format instead of PPK.

JSch getting invalid privatekey: while trying to load an RSA private key by KeyPairGenerator

The Sun JCA provider will return an DER-encoded unencrypted PKCS #8 structure, rather than an RSAPrivateKey object when you call PrivateKey.getEncoded().

You can use BouncyCastle to give you the key in the format you require:

import java.io.StringWriter;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;

import org.bouncycastle.openssl.PEMWriter;

public class JSCH {

  public static void main(String[] args) throws Exception {
    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
    keyPairGenerator.initialize(2048, new SecureRandom());
    PrivateKey privateKey = keyPairGenerator.genKeyPair().getPrivate();

    StringWriter writer = new StringWriter();

    try (PEMWriter pemWriter = new PEMWriter(writer)) {
      pemWriter.writeObject(privateKey);
    }

    String privateKeyStr = writer.toString();
    System.out.println(privateKeyStr);
    com.jcraft.jsch.KeyPair
        .load(null, privateKeyStr.getBytes("US-ASCII"), null);
  }
}

There may be a more elegant way to get the encoded key as a byte string. It feels ugly to write it as a string and call getBytes(), but perhaps you can look into this.

Example output:

SSH with JSch and PEM private key, while router uses openssl key

You have two Jsch instances, so the session does not get the identity you added to the other instance. Change to

val jSch = JSch()
jSch.addIdentity("blabla123", privateKey.toByteArray(), null, null)
session = jSch.getSession(username, host, port)

"Invalid Privatekey" When Using Jsch