id_rsa.pub file SSH Error: invalid format
IdentityFile configuration parameter should be pointed at the private key which the SSH client uses to prove its identity to the remote server. (The remote server, then, should have the contents of
id_rsa.pub installed in its
authorized_keys file, or an equivalent location).
You should be putting the path to
id_rsa.pub, as an argument to
IdentityFile in your
ssh-add id_rsa.pub generating invalid format error
ssh-agent is an authentication agent used for verifying a user/computer using asymmetric cryptography.
The private key is "your identity" and the public key can be used to "verify" your identity. So, the private key should be known to the authentication agent (ssh-agent in your case), while the public key will be used by the remote service/server. ssh-agent only needs to know private key and not the public key.
key_load_public: invalid format
As Roland mentioned in their answer, it's a warning that the
ssh-agent doesn't understand the format of the public key and even then, the public key will not be used locally.
However, I can also elaborate and answer why the warning is there. It simply boils down to the fact that the PuTTY Key Generator generates two different public key formats depending on what you do in the program.
Note: Throughout my explanation, the key files I will be using/generating will be named
id_rsa with their appropriate extensions. Furthermore, for copy-paste convenience, the parent folder of the keys will be assumed to be
~/.ssh/. Adjust these details to suit your needs as desired.
Link to the relevant PuTTY documentation
When you save a key using the PuTTY Key Generator using the "Save public key" button, it will be saved in the format defined by RFC 4716.
---- BEGIN SSH2 PUBLIC KEY ----
---- END SSH2 PUBLIC KEY ----
Contrary to popular belief, this format doesn't get saved by the generator. However it is generated and shown in the text box titled "Public key for pasting into OpenSSH authorized_keys file". To save it as a file, you have to manually copy it from the text box and paste it into a new text file.
For the key shown above, this would be:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhl/CNy9wI1GVdiHAJQV0CkHnMEqW7+Si9WYFi2fSBrsGcmqeb5EwgnhmTcPgtM5ptGBjUZR84nxjZ8SPmnLDiDyHDPIsmwLBHxcppY0fhRSGtWL5fT8DGm9EfXaO1QN8c31VU/IkD8niWA6NmHNE1qEqpph3DznVzIm3oMrongEjGw7sDP48ZTZp2saYVAKEEuGC1YYcQ1g20yESzo7aP70ZeHmQqI9nTyEAip3mL20+qHNsHfW8hJAchaUN8CwNQABJaOozYijiIUgdbtSTMRDYPi7fjhgB3bA9tBjh7cOyuU/c4M4D6o2mAVYdLAWMBkSoLG8Oel6TCcfpO/nElw== github-example-key
The format of the key is simply
ssh-rsa <signature> <comment> and can be created by rearranging the SSH-2 formatted file.
Regenerating Public Keys
If you are making use of
ssh-agent, you will likely also have access to
If you have your OpenSSH Private Key (
id_rsa file), you can generate the OpenSSH Public Key File using:
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub
If you only have the PUTTY Private Key (
id_rsa.ppk file), you will need to convert it first.
- Open the PuTTY Key Generator
- On the menu bar, click "File" > "Load private key"
- Select your
- On the menu bar, click "Conversions" > "Export OpenSSH key"
- Save the file as
id_rsa(without an extension)
Now that you have an OpenSSH Private Key, you can use the
ssh-keygen tool as above to perform manipulations on the key.
Bonus: The PKCS#1 PEM-encoded Public Key Format
To be honest, I don't know what this key is used for as I haven't needed it. But I have it in my notes I've collated over the years and I'll include it here for wholesome goodness. The file will look like this:
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
This file can be generated using an OpenSSH Private Key (as generated in "Regenerating Public Keys" above) using:
ssh-keygen -f ~/.ssh/id_rsa -y -e -m pem > ~/.ssh/id_rsa.pem
Alternatively, you can use an OpenSSH Public Key using:
ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pem > ~/.ssh/id_rsa.pem
- "key_load_public: invalid format..." on AskUbuntu
- The Secure Shell (SSH) Public Key File Format
- Converting OpenSSH public keys
Git push with SSH remote error: Load key /path/to/file_id_rsa : invalid format
If the private key format differs, that means, as I mentioned here that:
- one platform is using openssh prior to 7.8, with an old PEM 64-chars per line format.
- one is using a more recent OpenSSH format, 70-chars per line.
You can force a recent openSSH to generate the old format with:
ssh-keygen -m PEM -t rsa -P "" -f afile
Invalid format when creating an id_rsa file with Node
This error happens in Github Actions when using
OPENSSH instead of
You need to encode the ssh key as an RSA key instead.
-----BEGIN O̶P̶E̶N̶S̶S̶H̶ RSA PRIVATE KEY-----
-----END O̶P̶E̶N̶S̶S̶H̶ RSA PRIVATE KEY-----
Error loading key /root/.ssh/id_rsa : invalid format
I managed to fix it with the help of guys from the ##aws irc channel
I generated a PKCS#1 key format instead of a PKCS#8 format.
The PKCS#1 is represented as:
-----BEGIN RSA PRIVATE KEY-----
BASE64 ENCODED DATA
-----END RSA PRIVATE KEY-----
The PKCS#8 is represented as:
-----BEGIN PRIVATE KEY-----
BASE64 ENCODED DATA
-----END PRIVATE KEY-----
I simply copied the PRIVATE KEY and converted it here https://decoder.link/rsa_converter
You can also see a better elucidation here Differences between "BEGIN RSA PRIVATE KEY" and "BEGIN PRIVATE KEY"
As indicated below, it is not a good idea to use websites to do the conversion. Especially when your private key is likely being
sent to their servers. Instead, do the conversion locally as indicated here
Docker Load key /root/.ssh/id_rsa : invalid format
If the key is "invalid format", try and regenerate it with the old PEM format.
ssh-keygen -m PEM -t rsa -P ""
Make sure to add the public key to your GitHub account for proper authentication.
The OP Shammir adds in the comments:
I think the issue is that nothing is being copied from host machine to docker image during build.
docker build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)" returning empty", Shammir uses
dockito/vault to manage the private key, but also configure it to "AddKeysToAgent": that is not needed if the private key is not passphrase protected (as in my command above)