Created attachment 3403 [details] verbose log of successful connection with load pubkey invalid format message After upgrading, I am receiving a warning from the client side of OpenSSH during a successful connection to an OpenSSH Server. load pubkey "/root/.ssh/digital-ocean-openssh": invalid format My previous downstream OS was Fedora 31 (OpenSSH_8.1p1), where no such message occurs. This begins to show up in Fedora 32 (OpenSSH_8.3p1). The key file in question is an RSA private key in PEM format.
It seems it's also seen with acrhlinux: https://bugs.archlinux.org/task/66799
Is there any corresponding /root/.ssh/digital-ocean-openssh.pub for the /root/.ssh/digital-ocean-openssh private key?
There is no corresponding public key file. The public key is derived from the private key.
Private keys should have a corresponding pubkey file available as ssh prefers to load and test the public key before loading the private key. We might downgrade this error in a future release, but you can avoid it either by converting that key to an OpenSSH-format private key file or by making a standalone public key using "ssh-keygen -yf /root/.ssh/digital-ocean-openssh > /root/.ssh/digital-ocean-openssh.pub"
I can confirm that creating a separate public key file casues the message to go away. The command "ssh-keygen -yf /root/.ssh/digital-ocean-openssh > /root/.ssh/digital-ocean-openssh.pub" correctly created a public key file, and the ssh client found it without any changes to the config file. Thank you. I will just note however that there was never a need for a separate private key in any previous version of Fedora prior to version 33. I have been successfully using a configuration with just the private key since Fedora 6. I've just now verified my Debian (OpenSSH_7.9p1), Ubuntu (OpenSSH_8.2p1 ), Windows (OpenSSH_7.3p1), and Mac (OpenSSH_7.9p1) machines and see that they also have been working without separate public key files.
Sure - the error is new but ssh will continue to work as it always has: suboptimally if any of the private key files have passphrases on them as it may prompt for a passphrase on a key that has no chance at authentication success
Since I'm using a continuous integration pipeline that slings code around all day long using git, which uses SSH, I have been encountering this warning hundreds of times a day. It was hard to see whether or not my CI had any meaningful errors. Is there a design rationale behind introducing this warning message now, after all these years? Have I been doing something unsafe without knowing it?
A standalone public key file does not make this go away. The error comes from this: https://github.com/openssh/openssh-portable/blob/3779b50ee952078018a5d9e1df20977f4355df17/sshkey.c#L3978 The buffer is being checked for "-----BEGIN OPENSSH PRIVATE KEY-----", but it in fact (in my case) starts with "-----BEGIN RSA PRIVATE KEY-----" The identical identity file using openssh 7.9p1 produces no warning. I'll add an attachment with the bt.
Created attachment 3410 [details] stack on failing check in private2_uudecode
A fix has apparently been checked in. https://blog.hqcodeshop.fi/archives/482-OpenSSH-8.3-client-fails-with-load-pubkey-invalid-format.html