ssh-add : Invalid key length

Question

After my Mac upgraded automatically, I try ssh-add fail:

>ssh-add
Enter passphrase for /Users/dan/.ssh/id_rsa:
Error loading key "/Users/dan/.ssh/id_rsa": Invalid key length

>ssh -V
OpenSSH_7.6p1, LibreSSL 2.6.2

How can I fix this issue?

Answer 1

As per the release notes for OpenSSH 7.6:

Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.

So it's likely that the key you're trying to import is too short (weak). Your best bet is to generate a new key.

Answer 2

This can happen because of the remote or the local host key. Here are some workarounds for each case:

If the error is about YOUR host key you need to generate a new ssh-key:

ssh-keygen -t ed25519

Or the older (no longer recommended) RSA key, but specifying the length:

ssh-keygen -t rsa-sha2-512 -b 4096

If the error is the REMOTE host key you need to allow the exception (or fix the remote host) for this connection:

ssh -o RequiredRSASize=1024 ...the rest of your ssh command...

• Use RSAMinSize=1024 for old openssh versions

If overriding the min. bit length doesn't work then most likely the remote host allows for a different algorithms, so you can find them and try them until you find one that works. (if you send an unsupported one it will return the valid ones) Example:

ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 ...the rest of your ssh command...

Finally, once you find the settings that work you can optionally add the parameters to your ~/.ssh/config file. For example:

Host <the host>
    RequiredRSASize 1024

Sources: https://src.fedoraproject.org/rpms/openssh/c/aa843e85eeacfe9dc380cde93b9080bca0fe140f?branch=rawhide