This error occurs when OpenSSH cannot load or parse a public key file due to format incompatibility or corruption. It typically indicates the key file is in an unsupported format (PuTTY format, malformed, or outdated OpenSSH version) or corrupted with extraneous characters or line breaks.
OpenSSH relies on strict key file formats for security. When the SSH client or server attempts to load a public key using the `key_load_public()` function, it validates the file structure against expected formats. If the key file contains unexpected bytes, incorrect line endings, UTF-8 BOM markers, or uses an incompatible format (such as PuTTY's RFC 4716 format instead of OpenSSH format), the parser rejects it with "invalid format". The error can appear as a warning (SSH still works) or a fatal error (SSH fails), depending on whether the key is required for authentication or just optional.
Check what format your key file is in. The first line should indicate the format:
head -1 ~/.ssh/id_rsa.pubExpected formats:
- OpenSSH public key: ssh-rsa AAAAB3NzaC1yc2E...
- OpenSSH private key: -----BEGIN OPENSSH PRIVATE KEY-----
- Old PEM private key: -----BEGIN RSA PRIVATE KEY-----
If you see something else like ---- BEGIN SSH2 PUBLIC KEY ---- (PuTTY format), the key needs to be converted or regenerated.
If you have the private key but the public key is corrupted or missing, regenerate it:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pubThis extracts the public key from your private key in the correct OpenSSH format. The new public key file will have the correct format starting with ssh-rsa.
If the key was edited on Windows or copied through certain tools, it might have a UTF-8 BOM (invisible byte sequence at the start). Remove it:
sed -i 's/^//g' ~/.ssh/id_rsa
sed -i 's/^//g' ~/.ssh/id_rsa.pubThis removes any BOM characters from the beginning of the file. After this, test if SSH works.
If you transferred the key from Windows, it may have CRLF (\r\n) line endings instead of LF (\n). Convert them:
# On Linux/Mac using dos2unix
dos2unix ~/.ssh/id_rsa
dos2unix ~/.ssh/id_rsa.pub
# Alternative using sed
sed -i 's/\r$//' ~/.ssh/id_rsa
sed -i 's/\r$//' ~/.ssh/id_rsa.pubVerify the line endings:
file ~/.ssh/id_rsaShould show "ASCII text" or "OpenSSH private key". If it shows "CRLF", they weren't converted properly.
If the key is in PuTTY format (.ppk), you need PuTTYgen or ssh-keygen to convert it.
Using PuTTYgen (on Windows):
1. Open PuTTYgen
2. Click File → Load Private Key
3. Select your .ppk file
4. Click Conversions → Export OpenSSH key
5. Save as id_rsa (without .ppk extension)
Using ssh-keygen (on Linux/Mac/WSL):
First, check if PuTTYgen is available or use ssh-keygen directly (may not work for PuTTY format):
ssh-keygen -i -f id_rsa.ppk -m pem -p -N ""Or use puttygen if installed:
puttygen id_rsa.ppk -O private-openssh -o id_rsaIf your private key shows -----BEGIN RSA PRIVATE KEY----- but you're getting invalid format errors, it might be old PEM format. Some newer OpenSSH versions prefer the new OpenSSH format. Convert it:
ssh-keygen -p -m RFC4716 -f ~/.ssh/id_rsaOr regenerate using the PEM format explicitly:
ssh-keygen -t rsa -b 4096 -m pem -f ~/.ssh/id_rsa -N ""The -m pem flag ensures the old PEM format is used. Alternatively, convert to new OpenSSH format:
ssh-keygen -p -N "" -m openssl -f ~/.ssh/id_rsaSSH requires strict permissions on key files. Even if the format is correct, wrong permissions can cause issues:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pubVerify:
ls -la ~/.ssh/The private key should show -rw------- (600) and public key -rw-r--r-- (644).
After fixing the format, test if the key loads correctly:
ssh-keygen -l -f ~/.ssh/id_rsa.pubThis displays the key fingerprint, which confirms it's in valid format. If it still fails with "invalid format", the file may be truncated or corrupted. Regenerate the entire key pair:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""Or for RSA (4096-bit):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""Then add the public key to your servers' authorized_keys file and test the connection.
Advanced troubleshooting:
OpenSSH Version Differences: OpenSSH 7.8+ (released 2018) changed the default private key format from PEM to OpenSSH format for better security. Keys generated before this on one system may not be recognized by a newer OpenSSH version on another system. If upgrading OpenSSH causes this error on existing keys, regenerate the public key from the private key using ssh-keygen -y.
Ed25519 vs RSA Keys: Modern OpenSSH prefers Ed25519 keys for better security and performance. If you have old RSA keys showing format errors, consider migrating to Ed25519:ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "[email protected]"
SSH Agent and Corrupted Keys: If the error appears when using ssh-agent, the problem might be that the agent cached a bad key. Clear the cache: ssh-add -D then reload keys.
Check Key Integrity: Use ssh-keygen -l -f keyfile to verify a key's fingerprint. If this command also fails, the key file is definitely corrupted or in an unsupported format and must be regenerated.
Distro-Specific Issues: Some Linux distributions (CentOS 6, older RHEL) ship with very old OpenSSH versions that don't support modern key formats. If you see this error on legacy systems, either update OpenSSH or use older key generation: ssh-keygen -t rsa -b 2048 -m pem.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH