Cannot add SSH key generated on Fedora / openssh 7.8p1-1


#1

Hi,

I want to push to github as part of my build process, so I generated a key with

ssh-keygen -t rsa -b 4096 -C "my@mail.com" -f keyfile

and empty passphrase.

Then I try to add the key under project settings > SSH Permissions.

On pressing “Add SSH key” the button only changes text to “Failed”. Looking at the Network traffic reveals that the Response is:

{message: "it looks like private key is invalid key. Double check"}

I did double check and I have no idea what the problem might be.

The key is (not used anywhere, will use different one, just to reproduce)

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAqa+Jc1DUyr5tCwn4CgjuxFl6XQr6uaAymuKXyqnVrDA/VwekxTAp
BdjC1GA5zTJB/PqfTzUwSSSET/h3HrkYm8UMBIGmBiDExrvwO0GT813gosyrKIjcIiWtSC
E488bqpR1I3oLUvQbG4bOJR7XDnYT/gMz0dWezIy4y9kInc6+VEYF80i55cDLdDgyu/L3c
QFapRY1HDRorADw9c6G+4+PqVJDEK6VGj4EMKTnHFtTqf6RJj+FJ0jdqRUuZ0PZGD1Mg/i
0xzpS9vyvazec6E447uz+h39RnFOMRSjrHiL6+lJO7/jDtoOC2knIS9dyAZMPwszCZ50tX
wbfhAY3TdM+/klwyNGvUC8M0dyLcrA392DR8iv8EZbxnPXoDHRTyqreNhyn7BbLp1XLK6y
ZWFwWvXDc9o4YpsiwHvU2uz6pVS5Iu6XxOAW9kYdpcT1hc9SZt0iucVaLEQIVjB8o35SxC
DgxQpHP8UY+D+tDriC6ey0zHcBd/LAP7asHEeLfdNOkT/ZT2fSN4za3s8NJB4uDG87K50X
lc/g2euDFpLPp1qMCLKVIAapiOFMQ2yFzobmAT39+aDVEGaseByyLIuCbQ+YBgBmoOjZEW
RTv+O8yleu/80lS8ZQYgxrZxNWWdAO7yHwfkIqKr/zNeMQXdqY2P4BPUNKaSb9V0CdzFDz
sAAAdIqP7ZMKj+2TAAAAAHc3NoLXJzYQAAAgEAqa+Jc1DUyr5tCwn4CgjuxFl6XQr6uaAy
muKXyqnVrDA/VwekxTApBdjC1GA5zTJB/PqfTzUwSSSET/h3HrkYm8UMBIGmBiDExrvwO0
GT813gosyrKIjcIiWtSCE488bqpR1I3oLUvQbG4bOJR7XDnYT/gMz0dWezIy4y9kInc6+V
EYF80i55cDLdDgyu/L3cQFapRY1HDRorADw9c6G+4+PqVJDEK6VGj4EMKTnHFtTqf6RJj+
FJ0jdqRUuZ0PZGD1Mg/i0xzpS9vyvazec6E447uz+h39RnFOMRSjrHiL6+lJO7/jDtoOC2
knIS9dyAZMPwszCZ50tXwbfhAY3TdM+/klwyNGvUC8M0dyLcrA392DR8iv8EZbxnPXoDHR
TyqreNhyn7BbLp1XLK6yZWFwWvXDc9o4YpsiwHvU2uz6pVS5Iu6XxOAW9kYdpcT1hc9SZt
0iucVaLEQIVjB8o35SxCDgxQpHP8UY+D+tDriC6ey0zHcBd/LAP7asHEeLfdNOkT/ZT2fS
N4za3s8NJB4uDG87K50Xlc/g2euDFpLPp1qMCLKVIAapiOFMQ2yFzobmAT39+aDVEGaseB
yyLIuCbQ+YBgBmoOjZEWRTv+O8yleu/80lS8ZQYgxrZxNWWdAO7yHwfkIqKr/zNeMQXdqY
2P4BPUNKaSb9V0CdzFDzsAAAADAQABAAACAHpnCKSpe0ZhBTHAWC+M8AetcAosAF7kw3xc
1hg4WM0j5Jz4A5DGw+DW0vv2CdwOU/GULFUrzhAFCnjRh8QeyzSaeKfLiiLDgo7FRW7JSF
t2rbNiJllQGFN9kDkG1hlrtRm0PTtdbu6IM/Dd3Lpg0KIRLWoQ7oq+akeHbPWdFO5riwGc
wZiwM6OO3UzkM1pX7shuex6T4dv+s2QxEDcYRyYG46Nq5keBqpucAFTAu++pWRsIPJRQdD
rzBHLGLUfCTxmA4rzXhyU4wINltClxkcBHiqjxJujaRB2aCn/cVNE8nyd4RlT/oHq7fpe3
OBwommmVukzYUzy4aa5w4RuI3i4pd0EpHV7hqUs5r5VrghADWXQW8OS3IhEG7ShDk5tQX7
VhEg+Sxn/56TAq/sXOubeySztEgipVxEnGg54ol/kpzZg9U0PK3acUu5Atl/3Yfb+3z8jv
QeHaVNYwqwdMEksHhLC/WQSufCieEeMPFQIlkLMIXdomP2EvlfMo+mJMJ+SjPvI0lVZbGW
+jMe/sGoj/E08mMNfJsbwWhdAHzXtxaYGF3mDvCDRnmOaPW4v2aqlQ4VenKVXezSo5Fytr
sM3w8yGhZKnvN+dpMGOtPKcNNEtYYNpetrJs8FGaXgJG1h4/XJNsaM0DMcHoMr9ArYvj/C
u6qW8hA3uOfpiqhAXZAAABAQCqLMu9UcNxr/4ajarrn11RGy/DrDWPNnFdo8ilHGf+XLAQ
S6lCWlRLnCQ1UYCqdvqv4RHBhMLV4nnwk1iZOLE0sY0dCbROdYC7fI2glVpKEil92RX5XZ
v7byyEm6knck6+5VlAYYWw9LRn1MAFIcgnOYUQTru3N818GHGippFfFeOs3A9HWVGfoTEK
aC+mLwi6KOnrgFXh+7KBp3wNd49slfMl2bNf1fU9XlIC7Z1Mygq3zqhej71rONFjQPCdzV
P4Bo6ZeVgzpjPfI9OYO9utJgVMeMHumPAa0kuPzGQBenQUIwxROyVJMMXV9Uxdsao779Yq
6ygExbWIkZJ6IT55AAABAQDRt/blHPBpV37vkej76bCUOwLhNAoCY6NTz7btacclOzIOaE
Q1AiEtWIM6QIPi8x6aa/UEnn08VQDsUowUbN7PUo+Yu7HA3y09v7aBKNNsk4S+3Y4uy438
Y0sA8Omdvf900vFirc7SKpLcZ02AfJBA342yetPNimVJ99dM4WSp7mBQgVrABwlfHfl5PC
wwFMjedz/NKHtKP0VL4+HdyZCj0sbeXvYh5wsKMQQ8AIu+gtm1sV2LEG1Nd+m+g/NyradA
9RPUYxtJzDCQHRXlPsBc9hXm/N3hIJkykjJ6LP94Bu/AcxmzJyM82NsQDsU9Bvn6Z3CcTW
8Ia11aM6HqN2lHAAABAQDPIep90nAI1QSBqA0SQsFPPpEHE4YuBqIeQ02ZjBdEa4D+7JVX
8Et3aWD4famjna3LCRs0CyOJsueMIRnqc1gmdJvTQ+p8FZqqvlvyFHmE/8of7JQda8bBWQ
Xn/aZJqnhvWBBSRQy/+4AZfjgMwqLltjoEfvJbON0bhfwBvKPqRJR/FKU0xlMd6qq4+TSg
/kKegOdARslo2W1mA7B19T/i9s0HHt5168Un3qy63UaAZMUYcvUVth2UPN2RQA5Pn4yMVJ
CMdD/xmRVGSb20Wh7M7oQLPvuePzUob1ugncBtFq0FWPx0qMJQr3R3U+hg+kVdeNn/4kGV
c98vIV8ARuRtAAAAEGFybmR0QG1lbmVkZXYuZGUBAg==
-----END OPENSSH PRIVATE KEY-----

#2

My guess is that your one is not an RSA key. I just did the same on a Linux Mint (basically Debian) system and got this:

-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEA1eSVzRYA6oc9dH7TdLzbm6k1SYpQLuXzEPCCWdSTndBQarZp
GfgC0B2r8R0vGmklbbs9cA99/vBf/3rwfog15ndTnxMlRI2xN5VsZpdDRkDrX3Uu
4HrfaRSK7eNZXO4OaE5JGp3WyfD2se6qwWCDVjIgcOjkstcptbSgD2FdEAZHjtDF
SbRv9I78lg0AguGNHaGUk0jSCpHxKpK5GpRmM8ae82WziSmxky08+iVl1k8+cE1Q
8eUAYFuSaUyHjKa+nwhFmf3o5TxHNlLu9laikUuEARntF5ilzK0s0zozwh0btqBu
KpEzD4zrbw8JGubiF3zaZ9xbSSL0rhMp6LeMukxVakfyUz2Ei88lJQqM0BHtSSW1
Arimy/BLtiHbmTWNJEmLp8nOCdF2MyPRF3/lU99J90VNjDOoMpH3jlfXR2LKiz1G
p7bzsi9rWQKmwBMlh/hCvnIXT5Kxk4Dyhwmzh4EmfJeZQW7GX0BWG5Usd002l84H
40LrTTE35hn0Y82E3845w6CjQMZxGkyeJ98oVDnvreYZIH4IqgCJ9tjBLlNZdqK2
NRylWDsLORudGIbtFNs2Uu6GDirLSGKrra8aSPQLVgL/p3nOcYDMxhZtshc2y/xl
BP9GUVP1vflXfv3U/irCKALNlCbBQYuld5qKHnzlwHq+yhisTJTCrUnLn1cCAwEA
AQKCAgA4e0Y7g+X2CIRn8N2x4/Ux47rYkped6scG4Bvr0MCyWcICi+yxGNbVUiCH
aSd5F+70TQ9qOg0RdzRCaJp9L0bcdwIz7YBX2/rCLMkVRjhTou0EphMc4BWC0BPn
wbNlYM+ZJ6MSTj/bz6+1SMr6iZvk9ROv/S/3Me4nt2zU4ucKRj47LlIKpoUx1VhJ
32EVLq5u9q4fPomIlQVUMq6CoFFktrxelaqVO9dSgA2sGJgNwZtBWIlZdxlkWIoP
GFBrCdUoday7f1syvXoolDnZ/wKqz4AqMkhzhLGznL9LgAEO71TUIwU0ZGdRYesB
xrymx/VIMoYSCxRn+b0XAqR8eYvFYkTel/UwLGXWcBP7ggsIMh++y+92GHcXJtBs
cx5NmodxXZBqX3Ju7xFk7pvnoZihvpmw2b0j7WjoAkBIvZnrJmLk6N5MPFXT2nsI
JRydX5q4eDaM6IKBe0BGSLyypCF8GQYZ35f84bv8eOF/SIARxWR4GBYlPDZuYftN
lY8gUiIt9G0Q4E6PUSsPsNcvoGTUoKDHG1uIPEHLbNeFYoqLFPoy1rnEcHHCFnCE
k9za5r3zM/G0q38wb0vx4deHLkO0u04MnAP95koYqznonbHLXjwLMXfo4aHIMNUw
qC9iajVTSYn6aWHWr2TBIn1LflCWTNRnAcoW3XhsmsSrGQfDUQKCAQEA/i6+E2NA
rSHINeflcUJaWt9UYEgy09b5q7NXn8AiGi3xhJRR0RfDVEjoWhVl15xulzbxHMDy
8dGWkaGsAC2eWpT4jg4fUOyxtURI7/6NTyfiQIJArHDuv+JQVuhDq8nTGfQuiRyc
PTs1WHVENjUo8FMGztbGsTLA2f8dOI3o4Bm2jM0yTGMKT7gaNUSfMWhXy/vdvHUH
XZhLnexMxv5M9z+iDtjJ7gloyHtCE+hIXs7c+OMzbMpEIKdUzxn/cKuS2sJbXe6G
bU1o8bV7PzG2MoKIRRECc2xBeFxagDefAHfOA1WJ0VQhfq3fM560KGQBVrLcoCZb
Xg5wP+2WDYUE2wKCAQEA12wYn11HYSr0RHEtKrkp7jO5A5Rd7tprIrn9Hu1Fr/30
H3DQMI6Jco0PJPYXaG+pcTS6yLGOLyhkKDY+NLaEySmpHQ1wx779KLikUl9DiX/o
1ST5sD0sdh+BCpObQIDhmgVSf7YQHkVW+wzF07fuR0I3fl/s32qVJqXP8EVn4rON
++JMFGKJe85CZJVgr5PUd9AjLS6IbdVJyNkY9BakL1HWdRZh46M0lcJ7NfTLXrCi
xtOhuQApU3nwHj5D298PlCuLDHzR9rMqgMr3D8PxAXCkM02VtZ29kpAMFoRHKLXF
/WULfXmQsmEvaNMMhuMJCjr/sM4XGrg4Szpc0vg6NQKCAQBnYlutRxFnWfY09r07
8+EMVQncn4EM6MNkMu3Q7DTysP0rD6i3gxLPlVfsTAfASsAwgQhQyaoG8Vhso3Vy
HRvre+wc22GhaKRfNgb0lnSjXXWJB3GGsehp44MJ1i6wEMbsJ4VF/30M6qgn8ops
AfNEzIBYYMMwD5ShFkKsXgv6GntFibCLoTzwb9E5GVAmqGoNbcQigvcb+nXHJfWU
epqTdi5UG5kGWI1l/bxCnJfS+BCoqsCf3yUWovi7w7dB/Icesy62Ze4HRxUIOuiG
K5IPuUfzz5dPmxiF/ApTXEwvxIrmkEQeADofbFj8hfCA/SwON3HFMdS3zOebGOeP
WCtBAoIBAB3yui2VkzHP/etx7HyPB2RFLohv3Osy1EgcoTLme5Su8nxYe6j0d+lD
8QILcE+ljmHdmcYC4ShvLhVlDRrY8PbiYs9WKgKq65j4qmeFNOdtr9nJ7ShyKLc3
RAJLaP77q+F0sfZtQipjK2d1bB8159tiOkLIZS7eK2QXEyRtEbczjR6iZD9FP6XF
k/dVyP4/x/7sIafLW04ho8NXYx+z8hleADmA5hT2gH39bpGeuZMtbUPE8iu8+QHQ
5u/daiOsDAdmUktnIu1wFQ2YqeY4ME4p8bnsJE7+Yfd5LSUIOLhRJPhITuOfvdz+
o8+n34r1DzGr6BYVYKLnT3Qt5e+ycK0CggEAY89me0CSYdT3g+64Xw/VxC9kgRk3
5MKzGY0u+9VovWA6THFCFH/XvI05yCCERV1kZStg9dCWvo7tlUy2c7mnT+9VrZyV
Qs7+pAMqcyl9TzASP3LdbN/DD5vfGIdGl1xx75emxsMxwmdrbKAlHdES47UmmhWx
90cv8FyHk5WCOjsmWgJZf+0MNo/Cn5+tbswGXcXOpo4nUU80f+ba1MJ6n1Lfy+rk
6ZI/4CnnYbtt/5xSxeFAXgViIqcokEZoZ/fvcb03mgjJfZLQC0ZTDUJDgHs5G+TY
r5XKhogjvtiBSBP4vIw0VxHmRtlLYo/IfeaHRBhLCUkL8x+v7UMhlB+jMQ==
-----END RSA PRIVATE KEY-----

My experience is that all RSA keys start with MII, so I wonder if the rsa thing did not work in your case. Try spinning up an Ubuntu/Vagrant VM and doing the key gen again? What OS are you using?


#3

I reported the lack of on-screen messages here, thanks for confirming it. Perhaps you could post on that one to confirm it is an issue for you too? I had wondered if it was my NoScript interfering with the JavaScript app.


#4

Thanks for looking into it! I’m on Fedora 28.
When I run ssh-keygen -lf keyfile it reports

4096 SHA256:J9yAgvE+2bCc7cuZJ/nFKIR+r5pYQ6C2f2k1lZ2iNPg my@mail.com (RSA)

Running ldd /usr/bin/ssh-keygen yields

linux-vdso.so.1 (0x00007ffdca553000)
libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007f2dc17a7000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f2dc131b000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f2dc1117000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007f2dc0f14000)
libz.so.1 => /lib64/libz.so.1 (0x00007f2dc0cfd000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f2dc0ad4000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2dc08bd000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2dc0694000)
libc.so.6 => /lib64/libc.so.6 (0x00007f2dc02d5000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2dc00b6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f2dc1c14000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f2dbfe36000)

When running ssh-keygen in ubuntu:18.10 docker I indeed get a key that starts with

-----BEGIN RSA PRIVATE KEY-----
MII

and the key is accepted by Circle CI.

This change must have been made very recently, a few days ago I was able to generate a new, working key on fedora.

Some more versions:

ssh on ubuntu:18.10 apt-cache policy ssh reports Installed: 1:7.7p1-4
ssh on fedora: openssh.x86_64 7.8p1-1.fc28

Using ssh-keygen in fedora:28 docker image yields again an incompatible key using openssh-7.8p1-1.fc28.x86_64.


#5

To get a usable private key using openssh 7.8 the command now is

ssh-keygen -t rsa -b 4096 -m PEM -C "my@mail.com" -f keyfile

I added an “Idea” for this: https://circleci.com/ideas/?idea=CCI-I-583

And the release log is actually quite clear about the problem:

Potentially-incompatible changes

This release includes a number of changes that may affect existing
configurations:

  • ssh-keygen(1): write OpenSSH format private keys by default
    instead of using OpenSSL’s PEM format. The OpenSSH format,
    supported in OpenSSH releases since 2014 and described in the
    PROTOCOL.key file in the source distribution, offers substantially
    better protection against offline password guessing and supports
    key comments in private keys. If necessary, it is possible to write
    old PEM-style keys by adding “-m PEM” to ssh-keygen’s arguments
    when generating or updating a key.

#6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.