Skip to content

Why my private SSH key does not work in Rahti?

Mismatched keys

There are few reasons why a SSH key may not work, the simplest one is when the private key does not match the public key. In order to check this, you can re-generate the public key from the private one by doing:

ssh-keygen -y -f private_key_file

Please check that the generated public key matches the one used. Some servers also generate a key fingerprint, you may generate this fingerprint from the public or private keys, the fingerprint must match. The command to use is:

$ ssh-keygen -l -f repo-openshift-builder
2048 SHA256:ijP8/1P3ZSOBrJDD2PoCWmJceKd5JwDAmzmEqsH1itk openshift-source-builder/repo (RSA)

$ ssh-keygen -l -f repo-openshift-builder.pub
2048 SHA256:ijP8/1P3ZSOBrJDD2PoCWmJceKd5JwDAmzmEqsH1itk openshift-source-builder/repo (RSA)

Passphrase protected key

Another common reason for failure is when the private key is protected by a passphrase. Even though it is generally recommended to protect a private key with a passphrase when storing the key in a workstation, Rahti does not have any mechanism to store the passphrase and will then fail to use the key. To check if a private key is protected with a passphrase, you may use the same command above to generate the public key, If the key is protected, the command will ask for the password.

Miscellaneous format errors

The SSH key format is strict. A private SSH key can be considered invalid in the following cases:

  • The key is encoded using DOS format line endings. Text files created on DOS/Windows machines have different line endings than files created on Unix/Linux. DOS uses carriage return and line feed (\r\n) as a line ending, which Unix uses just line feed (\n). The solution is to use a tool like dos2unix or recreate the key in Linux.
  • The header (-----BEGIN OPENSSH PRIVATE KEY-----) or the footer (-----END OPENSSH PRIVATE KEY-----) of the key is not copied correctly. There must be 5 - characters in both ends of both the header and the footer, and there must be an end of line after the footer, i.e.: the last character of the file is not a '-' but a newline('\n'). This problem is created normally by copy paste errors when the end or beginning of the key file are not copied correctly, and it is the source of most common "format errors".

As a general rule, use ssh-keygen -l -f <file> to check the formatting of the key is correct.

New OpenSSH private key format used

The most obscure reason is that Rahti expects the key to be provided in PEM format. PEM used to be the default key format for OpenSSH private keys, but now it is considered a legacy format. Newer versions of OpenSSH will generate keys in OpenSSH's own format that is not recognized by the current version of Rahti (v3.11). When generating keys to be used in Rahti using ssh-keygen, please use the parameter -m PEM. A complete example would be:

ssh-keygen -C "openshift-source-builder/repo" -f repo-openshift-builder -N '' -m PEM

This will generate two files repo-openshift-builder and repo-openshift-builder.pub.

For a comprehensive guide of the whole process of using SSH keys to clone a private repository in Rahti, please follow: Repository SSH Keys guide.

Last edited Fri Aug 27 2021