Can't add an ssh key in "SSH Permissions"

Same situation as Unable to add private SSH key to “SSH Permissions” except there’s nothing wrong with my ssh key.

I tired every type of ssh key and every bit length I could think of. Looking at the network tab I get a failed request to https://circleci.com/api/v1.1/project/bitbucket/<project>/<repo>/ssh-key and the response is the same:

{"message":"it looks like private key is invalid key.  Double check"}

I double checked a million times, I tired to make the API request through the CLI via curl, constructing the json request manually using the real ssh key, etc. Nothing works. There’s nothing wrong with the ssh key itself. This is one of the ssh keys I tried:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAxwOn88RzKHXq/9fJbR3xh3sXbUOhg6yam0Vn6FBSy7xAqV2UUHgV
m4rHXAU6H+EiDcOea8L+fNrSC+bildVe1U94uuT491laUuUsPyVkQiZ3drIVZwLkCbyxA+
Pe6D1DB/dpXfrQP5pqdW1pHUQw5x5kthsBN/T6YpzATlJT8KnVmYrE6aLKduDfJD5y66Cr
GSy0vpkGZUnX1YcbJU9wVnSJbxqq/+2ZxYJU3SEo/diK3/Dz93HCBl5yaeAIDWT89GKee4
DSes+j92Tb799jfszh02/st6/usjcWhJ/DXIyIGG7ISdWG2leSGprDSPCO4GIv7hh9s4Dx
P+8IcLWOUQAAA8jBv2rywb9q8gAAAAdzc2gtcnNhAAABAQDHA6fzxHModer/18ltHfGHex
dtQ6GDrJqbRWfoUFLLvECpXZRQeBWbisdcBTof4SINw55rwv582tIL5uKV1V7VT3i65Pj3
WVpS5Sw/JWRCJnd2shVnAuQJvLED497oPUMH92ld+tA/mmp1bWkdRDDnHmS2GwE39PpinM
BOUlPwqdWZisTposp24N8kPnLroKsZLLS+mQZlSdfVhxslT3BWdIlvGqr/7ZnFglTdISj9
2Irf8PP3ccIGXnJp4AgNZPz0Yp57gNJ6z6P3ZNvv32N+zOHTb+y3r+6yNxaEn8NcjIgYbs
hJ1YbaV5IamsNI8I7gYi/uGH2zgPE/7whwtY5RAAAAAwEAAQAAAQAUbXyk2epUId5wSm8D
g0pSdMEP1xxSDrqD65jh0LTe8sDUYaWiqODW6WTTPjocIZjEPusY9pf2quNak2V4qcElNh
YXYP9pLEPINHvZM3ZaD+a9SURHIZXUpgipdI9h2T/zJmMrYV5U2P3KdeOPPHukjYsa4iS6
4Kt+ycY3g93X2viZ4sAj5pRO3dKEdO0bqFT1cedi5gm2JImJxrY+Ud04YdYtzzZsmbbb0N
ZA1UJ2aTv6rJ+bkGu6rWfJXFyPkRyblNUeg+pvJhcq2zy40lPb2TYxmn6f2hG9/C9RHNfI
DahNRgtK5Kp2FhMHoprK5dFF8bW/F3PXl6A/spOH2FdtAAAAgGuI9olRWPK5N2TbX0jtPy
EkGn2LCiPQ4MvC+wh5VdVTsS/VbUrtCO4eVzBaUHQXQe4NkCUkWSkSKmAJOKhDyD8icO0d
rtjLi0HnZCU+fydfpB7ka9jNUNIxfqyJqR0xG3SXg1GptRGx3nRHS8pn/y5mkCg974SDRr
myLTFsgGfsAAAAgQDj5q1mhZyz2bBYxav+WZAgVnKgL0OQ3JOQc09vIJgNEzZdt6+teCwZ
td4EaxuPdBheqvAfxtRe2tUtEBTJcQdAtlU5zWeK4IX9O6EVy3HZ8GzI5Q0K6VHnct0eIS
6tO9efezy79cp92rTT1cChHQXdlNUFY1UacsfzxQ7g6gJR4wAAAIEA3402395/U1VzJUdq
2yVv7Iiyg3/d+rjES6JLJ9miIdXx7I7CeKWzSbxPykYfzw6JxsEZ29T50DITn5bn08qdvP
ok9goKLG20Yp2vd+XTFPJ1e6eJ4V/T02nmf4M2S2jX6AH92jYiC5iF0QqaVgWvjDMyTRqk
1OKX40kRRoaDxTsAAAAQdkBsaW51c3B1dGlubXVzawECAw==
-----END OPENSSH PRIVATE KEY-----

I saw that through the browser the == signs at the end of the base64 were being stripped. Tried sending the payload with or without them.

This is the json payload I tried sending manually:

{"hostname":"","private_key":"-----BEGIN RSA PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAsZY8fWFBPU5sCvRLE5eYZLlgq16Re49Z4U1S0L4o2xS3SNToXLpZ\ngoHIb/XpJ3MAQjBxP5Ss27i194yFqsaIZq6D5fmGiF+NBLCovtkNV9ZPlqBBzMKBqHtvVR\nfigdiR4iC3whknyPzO5eCjX4DXhFjKHoJH6XzXOvRasT9kfM+KhIn3yYPlQ8wiDUYOHBN8\n4Xp71XlXS5JGVAaC6g3Y2hpf4dVcPd4GTEq6EcSqWTVfoNeuhmk5sYJu/cbNrxpNNq1JNG\nsMhnTbyRBoNW0KXGEdtNuFsqcfpgHiIV/ZKMKBDoqHHr9qjpNYrnztarDVhB7cuWlQYbnb\nYEXIH3u6ywAAA8gkkMWhJJDFoQAAAAdzc2gtcnNhAAABAQCxljx9YUE9TmwK9EsTl5hkuW\nCrXpF7j1nhTVLQvijbFLdI1OhculmCgchv9ekncwBCMHE/lKzbuLX3jIWqxohmroPl+YaI\nX40EsKi+2Q1X1k+WoEHMwoGoe29VF+KB2JHiILfCGSfI/M7l4KNfgNeEWMoegkfpfNc69F\nqxP2R8z4qEiffJg+VDzCINRg4cE3zhenvVeVdLkkZUBoLqDdjaGl/h1Vw93gZMSroRxKpZ\nNV+g166GaTmxgm79xs2vGk02rUk0awyGdNvJEGg1bQpcYR2024Wypx+mAeIhX9kowoEOio\ncev2qOk1iufO1qsNWEHty5aVBhudtgRcgfe7rLAAAAAwEAAQAAAQBUaRPhiMvIxzDl2A6j\nhmgiYFcJvc6rC41uYSGfJPQohmVEUicMhGstdGEAjsO/Q5N44qvBy/qKCfc8bmfOr8WAAS\n2ir4N56OkPtKTQ6jzEZpK4Bv6fxEh6/AkESnEYxQc6k9Ckiu51Q21YqPke2RAX0VhpPgXO\nfs+TLzi4jWhHRlgyJW9/1UJyw+HPU2Y3YQSQCLe7oQTUpxnfef5CVwPU6yYl3ry1s2ICPp\nw7mrE/hF9vWbsRxFxBAY1rOZtgZmNhBoP54lHwd2/aMGehHG9wFib+wD9kWovi4N0SbKaM\nqqANl+jBd8DuHSYCmVYyl3aPl6k+QKZfvws3TLOvlJxhAAAAgQCtqzra9AFmCUjD4zGe7/\nwzlP8bXMrVGV9bpGCFDdchWF0/VSCTYg2frDYqrt9nl/ISUx7W7YoSmzi8K8iyDd1ClTL3\nD020i4EScyzn7hjPJhyQDhYijvRm2rnV7UZdYTOcRJpboRLTHbS1g3H3UzNyp0CY5pr4jq\nyrskGUtz3MJgAAAIEA3lN4nAKnL35qaWZ4QJO8M6UVujMyIeVWEA2vFoOXQtjY8vyoAZei\njxlQwwSn0/qeWaOC/TmCrEc4VgzAKdOup0M0z/V5GFFLQBMize9qlRriZigA+Tmnp69Qoz\nnJnHXqZfxjbfP0s6LJ03tmmruZYKxiRDv+UI623rbAJvPDqBEAAACBAMx8CSbPMnzR4O6G\n/XzXbe1f0bih3oo4a5ORwm7BjtHMxGMubOp0AL3vT/At3s8R9bp58IT+LS+tYhDhplgrQJ\n7Usea3DJ1ceXoJRfj/nyFevPWwBEVADkA5tmYaMAV6oaF1aRP6fYLT+H5bI5jGslUODlu1\nxRjBKJ4efW2XkfEbAAAAEHZAbGludXNwdXRpbm11c2sBAg\n-----END RSA PRIVATE KEY-----"}

I tried everything now and literally nothing works. Please give me an example of an ssh key that can be imported because I can’t find one.

Edit: I also tried changing the headers to RSA vs OPENSSH key… I have no idea what to even guess any more.

I ended up trying to generate an openssl private key instead of an openssh private key with openssl genrsa -out private.pem 2048 and that ended up working. The key in the original post also works. Now I need to figure out how to generate an SSH key that can be imported.

Okay, mystery solved. I hope I’ll end up saving someone the head banging I had to go through.

First of all this works:

openssl genrsa -out ~/.ssh/circleci 2048
ssh-keygen -y -f ~/.ssh/circleci > ~/.ssh/circleci.pub

Normal openssl RSA keys work. Old versions of ssh-keygen used to use the same format, but my new version (7.9) defaults to “RFC4716” as the storage format for private keys. To generate a private key directly in the old openssl compatible format, use:

ssh-keygen -m pem -f ~/.ssh/circleci

openssl genrsa -out ~/.ssh/circleci 2048
chmod 600 ~/.ssh/circleci
ssh-keygen -y -f ~/.ssh/circleci > ~/.ssh/circleci.pub
chmod 600 ~/.ssh/circleci.pub