Load key "/.ssh/identity/id_rsa": invalid format

3395 views
Skip to first unread message

Chromo Huynh

unread,
Mar 14, 2020, 4:03:44 AM3/14/20
to chromium-hterm
I am unable to get any key to work. I have tried generating both rsa and ecdsa keys, saving them to id_rsa/id_rsa.pub and id_ecdsa/id_ecdsa.pub. I choose the pub/priv key files and import (selecting the files doesn't populate the pulldown with it, I have to attempt a failed connection in order for the app to reload with the new id).

No matter what keys I try I get the same error:

Load key "/.ssh/identity/id_rsa": invalid format

(filename depends on what id I select).

The id file (without .pub) is just:

-----BEGIN OPENSSH PRIVATE KEY----- 
<key here>
-----END OPENSSH PRIVATE KEY----- 


Maciej Żenczykowski

unread,
Mar 14, 2020, 6:35:35 AM3/14/20
to Chromo Huynh, chromium-hterm
the only thing that comes to mind is:

are these standard unix style text files?

not word (or excel), just pure 7-bit ascii (not some 16-bit encoding,
not some unicode or utf-8 with byte order mark) with line feed as
end-of-line (not cr-lf or just carriage return)

perhaps generate them with openssh on a linux box - that definitely
works - and copy them over as files (not via some sort of
copy-and-paste of file contents which might perhaps mess things up).

For example I have:

id_rsa.pub:

ssh-rsa AAAAB3N...v z...@gmail.com

id_rsa:

-----BEGIN OPENSSH PRIVATE KEY-----
b3B...QF
-----END OPENSSH PRIVATE KEY-----

(and also not DSA keys and RSA1 keys don't work any more afaik)

Nom De Plume

unread,
Mar 14, 2020, 9:28:50 AM3/14/20
to chromium-hterm
Something I found when setting up from a fresh install is that the keys didn't show up in the dropdown until I had tried to connect to my first connection. Once I tried the connection, I was able to do the import and the key was now available in the dropdown.

Chromo Huynh

unread,
Mar 14, 2020, 10:33:18 AM3/14/20
to chromium-hterm, chromo...@gmail.com
Thanks for your inspiration. I was creating the files on the Chromebook itself using the Txt app but the keys I was copying/pasting from another channel and it looks like along the way the newlines got stripped. So the file was missing whitespace which it expected. Instead, I pulled some files directly and those keys work.

On Saturday, March 14, 2020 at 5:35:35 PM UTC+7, Maciej Żenczykowski wrote:

Massimo Balestra

unread,
Jun 23, 2020, 9:00:57 PM6/23/20
to chromium-hterm, Chromo Huynh
I had the same problem and I solved, I think.
My keys were created by puttygen. This tool (or kittygen) has a tab called conversion where you can save in three different formats.
I saved in "Export OpenSSH key" format and it gave me the error:
load pubkey "/home/user/.ssh/id_rsa": invalid format
then I saved and used the key saved in format: "Export OpenSSH key (force new file format)" and the warning is removed.
So the key is this new format.

Clarence Dold

unread,
Jul 18, 2020, 12:51:19 PM7/18/20
to chromium-hterm, chromo...@gmail.com
I have not changed my files in quite some time, but recently, maybe only as a result of this post, I noticed these messages in the extension.
Welcome to Secure Shell App version 0.33.

Connecting to clar...@X.X.X.X...
load pubkey "/.ssh/identity/Clarence-C330_ecdsa": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-111-generic x86_64)

The connection works fine.
Adding -v to the ssh command  gives
debug1: getpeername failed: No such file or directory
debug1: identity file /.ssh/Clarence-C330_ecdsa type -1
debug1: identity file /.ssh/Clarence-C330_ecdsa-cert type -1
load pubkey "/.ssh/identity/Clarence-C330_ecdsa": invalid format
debug1: identity file /.ssh/identity/Clarence-C330_ecdsa type -1
debug1: identity file /.ssh/identity/Clarence-C330_ecdsa-cert type -1

later, it shows
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/Clarence-C330_ecdsa
debug1: Trying private key: /.ssh/identity/Clarence-C330_ecdsa
debug1: Authentication succeeded (publickey).

It seems (as an uneducated guess) that it is looking at a public key format that it doesn't like, and then a private key format that it does like.

All of my keys are generated on Ubuntu, and copied via sftp in this app.

Maciej Żenczykowski

unread,
Jul 19, 2020, 4:04:28 AM7/19/20
to Clarence Dold, chromium-hterm, Chromo Huynh
One thing I've had happen and haven't been able to figure out, is randomly have logins fail (ie. require a password) due to the keys *missing* (file not found errors).  Simply retrying the connection (not sure if in same window or another window) succeeds (ie. key is not missing on reconnect)...  Not at all sure if that's related or not...

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hter...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/b931bb94-b743-4917-9f26-e2fcea3314f7o%40chromium.org.
Maciej Żenczykowski, Kernel Networking Developer @ Google

Clarence Dold

unread,
Jul 19, 2020, 11:07:21 AM7/19/20
to chromium-hterm, claren...@gmail.com, chromo...@gmail.com
Yes. I have that happen so often, I ignore it.
It says the files aren't found, or something, asks for the password. I hit enter about three times to password prompts, and it tries again and succeeds.
Sometimes it is the first time after the Chromebook has gone to sleep, but not always a failure, not always after a sleep.
To unsubscribe from this group and stop receiving emails from it, send an email to chromiu...@chromium.org.

Ehsan Kia

unread,
Aug 20, 2020, 10:22:12 PM8/20/20
to chromium-hterm, claren...@gmail.com, chromo...@gmail.com
Did anyone ever find a solution? I have not changed my key yet starting a few months ago (around when this thread was created), it started throwing that error. The key still works just fine, it just prints that every time. I tried reloading the key and it still happens.
It's clearly not a relevant error, since again, the key works just fine. But the error is confusing and spammy.

Jon

unread,
Sep 9, 2020, 4:48:21 AM9/9/20
to chromium-hterm, ph0...@gmail.com, claren...@gmail.com, chromo...@gmail.com
I'm suddenly having this error with exactly the same keyfile that was working for months previously without issue. Unlike others, it's also not actually working.

Clarence Dold

unread,
Oct 3, 2020, 11:11:18 AM10/3/20
to chromium-hterm, Jon, ph0...@gmail.com, Clarence Dold, chromo...@gmail.com
I would hope that you found a solution.
The public shell service that I use changed something about their Linux installation. The Chrome ssh that I use still connects, although never the edcsa, only rsa. The JuiceSSH that I use on my Android phone stopped working one day.

Add a -v or -vv, or -vvv to the SSH arguments line of Chrome SSH, and launch it.
See if you can identify where it is failing, and post the lines around the failure here.

For the CentOS release 5.3 (Final) public system, I had to use an rsa key, and add the ssh option
-o KexAlgorithms=+diffie-hellman-group-exchange-sha1  

My home 18.04.5 LTS (Bionic Beaver) uses edcsa and no special arguments, although I do get the benign warning.

Ehsan Kia

unread,
Oct 17, 2020, 7:32:26 PM10/17/20
to chromium-hterm, claren...@gmail.com, Jon, Ehsan Kia, chromo...@gmail.com
Ah, thank you for the reminder about -v+ I saw your email last week but finally decided to put time and take a closer look.
As mentioned above, for me it's not a breaking issue, it still connects fine, but it is annoying to get that error every time I connect.

I'm not an expert but it seems like it's testing id_rsa as both a public key and a private key, the former failing as it's not the right format.
Actually, I think the process itself is normal, in the logs it tries to load a bunch of other things that fail, but all the other logs are debug and only show for -v
this one line is not a debug log, and shows up, my guess would be that someone accidentally changed it from a debug log to a normal log?

After some more digging, it seems like it's something that's been added in newer versions of OpenSSH:
Sure enough, Secure Shell uses OpenSSH 8.3p1. Unfortunately, I can't see to be able to upload a .pub file to the extensions directory.

Tried inspecting the extension but I can't see to find where it is storing the keys, so I'm all out of ideas.
If anything know how inject the .pub key to the local ~/.ssh/ directory of the extension, I'm curious if that fix would work.

Simon So

unread,
Apr 1, 2022, 2:54:33 AM4/1/22
to chromium-hterm, Ehsan Kia, claren...@gmail.com, Jon, chromo...@gmail.com
I ran into this just now and adding a newline at the end (right after "-----END OPENSSH PRIVATE KEY-----") solved it for me.

Raymond Cornelis Kamp

unread,
Nov 25, 2022, 7:13:55 AM11/25/22
to chromium-hterm, Simon So, Ehsan Kia, claren...@gmail.com, Jon, chromo...@gmail.com
I'm also running into this issue since today, had to powerwash the Chromebook and started off with a fresh start now i can connect to SSH anymore on chromebook

Tried the newline but it doesn't solve the issue here

Welcome to SSH version 107.
Answers to Frequently Asked Questions: https://goo.gl/muppJj (Ctrl+Click on links to open)

[Pro Tip] Use 'Open as Window' or 'Fullscreen' to prevent Ctrl+W from closing your terminal!
[Pro Tip] See https://goo.gl/muppJj for more information.

ChangeLog/release notes: /html/changelog.html

Random Pro Tip #13: Display images inline: https://goo.gl/MnSysj

Loading pnacl program... done.
Connecting to user...@server.domain.nl...
OpenSSH_8.8p1, OpenSSL 1.0.2k  26 Jan 2017
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to server.domain.nl [1.2.3.4] port 22.
debug1: Connection established.
debug1: getpeername failed: Function not implemented
debug1: identity file /.ssh/identity/my1p.key type -1
debug1: identity file /.ssh/identity/my1p.key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to server.domain.nl:22 as 'username'
debug1: load_hostkeys: fopen /.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen //etc/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen //etc/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:57M0Z9NBsLXKBUBaeL2IFRgJNvIzMy/5fY85TB2lx3E
debug1: load_hostkeys: fopen /.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen //etc/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen //etc/ssh_known_hosts2: No such file or directory
debug1: Host '[server.domain.nl]:22' is known and matches the ED25519 host key.
debug1: Found key in /.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /.ssh/identity/my1p.key  explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sh...@openssh.com,webauthn-sk-ecd...@openssh.com>
debug1: kex_input_ext_info: publickey...@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity/my1p.key
Load key "/.ssh/identity/my1p.key": invalid format
debug1: No more authentication methods to try.
user...@server.domain.nl: Permission denied (publickey).

This key has always worked this way before the chromebook powerwash but now I can't even access one of my servers
Reply all
Reply to author
Forward
0 new messages