Vagrant: OpenSSH private key format not supported

Created on 5 Oct 2017 · 11Comments · Source: hashicorp/vagrant

Vagrant version

2.0.0

Host operating system

macOS 10.12.6

Guest operating system

Ubuntu 16.04.3 LTS (Xenial Xerus)

Vagrantfiles

~/.vagrant.d/boxes/…/0/virtualbox/Vagrantfile

# The contents below were provided by the Packer Vagrant post-processor

Vagrant.configure("2") do |config|
  config.vm.base_mac = "08002763C374"
end

# The contents below (if any) are custom contents provided by the
# Packer template during image build.
# -*- ruby -*-

BASEDIR = File.dirname(__FILE__)

Vagrant.configure("2") do |config|
    config.ssh.username = "vagrant"
    config.ssh.private_key_path = File.join(BASEDIR, "vagrant.priv")
end

$PWD/Vagrantfile

Vagrant.configure("2") do |config|
  config.vm.box = "/path/to/my-custom.box"
  config.ssh.keys_only = true
end

`vagrant.priv` (this is the imporant bit)

generated with ssh-keygen -o -a 100 -t rsa.

Debug output

2017-10-05T20_37_50Z.txt

Expected behavior

vagrant up should have worked.

Actual behavior

It didn't. 😀 I received the following error:

The private key you're attempting to use with this Vagrant box uses
an unsupported encryption type. The SSH library Vagrant uses does not support
this key type. Please use `ssh-rsa` or `ssh-dss` instead. Note that
sometimes keys in your ssh-agent can interfere with this as well,
so verify the keys are valid there in addition to standard
file paths.

As we discussed privately, this was actually due to the private key being in OPENSSH PRIVATE KEY format, when apparently the SSH library needs RSA PRIVATE KEY format.

communicatossh enhancement upstream

Source

blalor

Most helpful comment

Ok, finally found a workaround for newer ssh-keygenversions ...

ssh-keygen -m PEM -t rsa

Setting the format to 'older' PEM forces the output of old-style RSA private keys.

dakcarto on 16 Nov 2018

👍5

All 11 comments

I am currently running into this on vagrant 2.0.0, is there a work-around to generating these keys in the correct format? Keys that worked with previous versions of Vagrant appear to no longer be valid.

ajorgensen on 16 May 2018

Running into this on macOS 10.14.1 hosts. The new openssh version on the OS, similar to the one you can install from homebrew, does not offer a means of generating an 'older' RSA private key.

Doing _any_ of the following results in an "OPENSSH PRIVATE KEY" key:

ssh-keygen -t rsa
ssh-keygen -t dsa

Our only workaround was to use our Mac build server, which was still at OS v10.13.6, which had an older ssh-keygen installed. (Note: OS doesn't matter here, but ssh-keygen version does.) Then the older-style RSA private key could be generated.

We could not find a way of creating old-style RSA PRIVATE KEY keys, nor converting OPENSSH PRIVATE KEY keys back into RSA PRIVATE KEY.

dakcarto on 16 Nov 2018

Ok, finally found a workaround for newer ssh-keygenversions ...

ssh-keygen -m PEM -t rsa

Setting the format to 'older' PEM forces the output of old-style RSA private keys.

dakcarto on 16 Nov 2018

👍5

The old version is also available on debian/ubuntu systems with the openssh-client-ssh1 package. Anyway, as this original issue was resolved some time ago, I'm going to close this up. Cheers!

chrisroberts on 16 Nov 2018

@chrisroberts wrote:

Anyway, as this original issue was resolved some time ago, I'm going to close this up.

Hi Chris,

I just had this error occur with latest Vagrant and latest macOS host. How was it resolved? Am I missing something here?

I would assume the fix would be for Vagrant to accept the new OPENSSH PRIVATE KEY format, but it apparently does not, at least with v2.2.0.

dakcarto on 16 Nov 2018

@dakcarto You are correct, apologies. I thought the dep update for net-ssh had resolved it but there are still issues with it properly handling them.

chrisroberts on 16 Nov 2018

👍2

I had the same issue as @dakcarto on a macOS 10.14 host. Creating an RSA key in the older PEM format is a suitable workaround but a fix in Vagrant itself would be great.

mdippery on 20 Nov 2018

Hi, somebody found a workaround? I really need use a open-ssh key, and still blocked for this issue :(

yolitals on 16 Jan 2019

Hi there. This is fixed in the latest release of Vagrant (2.2.3). The net-ssh library added support here: https://github.com/net-ssh/net-ssh/pull/646 which was included in the 5.1.0 release and Vagrant's constraint on net-ssh requires that version https://github.com/hashicorp/vagrant/pull/10550

Cheers!

chrisroberts on 16 Jan 2019

👍3 ❤1

I am still facing this issue using Vagrant 2.2.3 with a VirtualBox provider, Windows 10 host, and Ubuntu 16.04 guest. The keys worked for me, then after upgrading, they no longer do.

yusufscott on 13 Feb 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.