dracoblue.net

Error loading key "ssh_host_ed25519_key": invalid format

Today I ran into the problem that a gitlab shell workload was reporting:

Error loading key "ssh_host_ed25519_key": invalid format

The private key looked similiar like this and great at first glance:

  ssh_host_ed25519_key: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    xxxxREDACTEDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxx==
    -----END OPENSSH PRIVATE KEY-----

In my case the error was reported by gitlab-shell, so I was searching for a way to validate if the key file was correct.

This test:

$ ssh-keygen -l -f ssh_host_ecdsa_key.pub
256 SHA256:XYZREDACTEDXYZ/I [email protected] (ECDSA)

did show it was correct, even though it was not usable for sshd.

But this worked to validate if the key works:

$ eval $(ssh-agent)
Agent pid 5464
$ ssh-add ssh_host_ed25519_key
Error loading key "ssh_host_ed25519_key": invalid format

The problem was, that https://external-secrets.io/ injected the private key with trimed newline at the end.

If it would have added it like this (see that | is |+ there!):

  ssh_host_ed25519_key: |+
    -----BEGIN OPENSSH PRIVATE KEY-----
    xxxxREDACTEDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxx==
    -----END OPENSSH PRIVATE KEY-----

it would have worked. You can use advanced templating like this https://external-secrets.io/guides-templating/ to fix it the right way.

But also works, is a small trick ;):

  ssh_host_ed25519_key: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    xxxxREDACTEDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxx==
    -----END OPENSSH PRIVATE KEY-----
    #

As you can see I added a # at the end (a comment for the sshd).

If you try again:

$ eval $(ssh-agent)
Agent pid 5464
$ ssh-add ssh_host_ed25519_key
Identity added: ssh_host_ed25519_key ([email protected])

It works!

In external-secrets, gcloud, gitlab, kubernetes, terraform by
@ 06 Jan 2022, Comments at Reddit & Hackernews