Today I ran into the problem that a gitlab shell workload was reporting:
Error loading key "ssh_host_ed25519_key": invalid format
The private key looked similiar like this and great at first glance:
ssh_host_ed25519_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
xxxxREDACTEDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxx==
-----END OPENSSH PRIVATE KEY-----
In my case the error was reported by gitlab-shell, so I was searching for a way to validate if the key file was correct.
This test:
$ ssh-keygen -l -f ssh_host_ecdsa_key.pub
256 SHA256:XYZREDACTEDXYZ/I [email protected] (ECDSA)
did show it was correct, even though it was not usable for sshd.
But this worked to validate if the key works:
$ eval $(ssh-agent)
Agent pid 5464
$ ssh-add ssh_host_ed25519_key
Error loading key "ssh_host_ed25519_key": invalid format
The problem was, that https://external-secrets.io/ injected the private key with trimed newline at the end.
If it would have added it like this (see that | is |+ there!):
ssh_host_ed25519_key: |+
-----BEGIN OPENSSH PRIVATE KEY-----
xxxxREDACTEDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxx==
-----END OPENSSH PRIVATE KEY-----
it would have worked. You can use advanced templating like this https://external-secrets.io/guides-templating/ to fix it the right way.
But also works, is a small trick ;):
ssh_host_ed25519_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
xxxxREDACTEDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxx==
-----END OPENSSH PRIVATE KEY-----
#
As you can see I added a # at the end (a comment for the sshd).
If you try again:
$ eval $(ssh-agent)
Agent pid 5464
$ ssh-add ssh_host_ed25519_key
Identity added: ssh_host_ed25519_key ([email protected])
It works!
