This error occurs when you try to generate an SSH key with a type that ssh-keygen doesn't recognize or support. It's usually caused by a typo in the key type name, using an unsupported algorithm on your OpenSSH version, or trying to use deprecated key types.
When you run ssh-keygen with the -t (type) option, you must specify a valid key algorithm. The most common valid types are rsa, ecdsa, ed25519, and dsa. If ssh-keygen doesn't recognize the type you specified, it means either: (1) you misspelled the key type name, (2) your OpenSSH version doesn't support that algorithm, or (3) you're trying to use a deprecated key type that's no longer available. This error prevents key generation and must be resolved before you can create SSH keys.
First, verify which version of OpenSSH you have, as different versions support different key types:
ssh -VThis displays your OpenSSH version (e.g., 'OpenSSH_8.2p1 Ubuntu-4ubuntu0.7, OpenSSL 1.1.1f 31 Mar 2020').
Key type availability:
- OpenSSH 6.5+: ed25519 support added
- OpenSSH 7.0+: DSA (dsa) deprecated and disabled
- OpenSSH 5.3: Only supports rsa, dsa, ecdsa
Use one of these standard, supported key types:
Modern systems (OpenSSH 6.5+):
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519Ed25519 is recommended for new keys—it's fast, secure, and works everywhere modern.
Broader compatibility (supports older servers):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsaRSA with 4096 bits is the traditional fallback if you need maximum compatibility.
Elliptic Curve (modern, good compatibility):
ssh-keygen -t ecdsa -b 521 -f ~/.ssh/id_ecdsaECDSA with 521 bits provides good security and is widely supported.
Always use lowercase key type names: ed25519, rsa, ecdsa (not ED25519, RSA, etc.).
Do NOT use DSA keys on any modern OpenSSH version:
# Wrong - DSA is deprecated and disabled in OpenSSH 7.0+
ssh-keygen -t dsa -f ~/.ssh/id_dsaIf you're stuck with an old system that requires DSA, you should upgrade that system. DSA is cryptographically broken and should never be used.
If you must generate keys for a very old OpenSSH server (pre-6.5), use RSA instead:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsaThe most common mistake is misspelling the key type. Verify these common errors:
Wrong (typo in type name):
ssh-keygen -t rsa2048 # ❌ Wrong: '2048' is not part of type
ssh-keygen -t RSA # ❌ Wrong: Must be lowercase 'rsa'
ssh-keygen -t ecdsa-256 # ❌ Wrong: Use -b flag for key size
ssh-keygen -t dsa-sk # ❌ Wrong: Unsupported type on most OpenSSH versionsCorrect:
ssh-keygen -t rsa -b 2048 # ✅ RSA with 2048-bit size
ssh-keygen -t rsa # ✅ lowercase, default 3072 bits
ssh-keygen -t ecdsa -b 256 # ✅ ECDSA with -b for key size
ssh-keygen -t ed25519 # ✅ Ed25519 (no -b needed, fixed size)The key type goes in -t, and the key size goes in -b. They are separate options.
If you're trying to use hardware security keys (FIDO2 keys):
# These require OpenSSH 8.2+
ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk # Ed25519 on security key
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk # ECDSA on security keyCheck your version:
ssh -VIf you have OpenSSH older than 8.2, you cannot use -sk variants. Use standard ed25519 or rsa instead, or upgrade OpenSSH.
On some systems, ssh-keygen might be aliased or wrapped by a script. Check:
which ssh-keygenShows the path, e.g., /usr/bin/ssh-keygen. Try using the full path directly:
/usr/bin/ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519If that works but plain ssh-keygen doesn't, you have an alias or wrapper interfering:
# Check for alias
alias ssh-keygen
# Temporarily bypass it
unalias ssh-keygen
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519Advanced troubleshooting:
OpenSSH version matrix:
- OpenSSH 5.3 (RHEL 6, CentOS 6): Only rsa, dsa, ecdsa. No ed25519 support.
- OpenSSH 6.5+: ed25519 support added
- OpenSSH 7.0+: DSA disabled by default (deprecated)
- OpenSSH 8.2+: ed25519-sk and ecdsa-sk support (security keys)
Windows OpenSSH quirks:
Some older versions of OpenSSH on Windows report "unknown key type" for standard RSA or ECDSA. If you're on Windows and get this error, try:
1. Update to the latest OpenSSH version via Install-Module posh-sshell or download from https://github.com/PowerShell/Win32-OpenSSH/releases
2. Use ed25519 as it has better cross-platform support
SSH agent and key types:
If you generate a key successfully but ssh-add fails with "unknown key type", your SSH agent is outdated. Update OpenSSH client tools.
Container/VM environments:
If using ssh-keygen inside Docker, Kubernetes pods, or lightweight VMs (Alpine Linux), ensure OpenSSH-client is installed: apk add openssh-client (Alpine) or apt-get install openssh-client (Debian).
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH