How to convert a Putty OPENSSH private key into a RSA private key
Using SSH (and related tools) on Windows has been a pain for decades. Only in the last few years Microsoft changed their opinion and allowed direct SSH connections in Windows PowerShell. Prior to that solution and still relevant today are the PuTTY tools.
Putty itself is a widely used program to, besides other use cases, connect to a remote SSH server. To create (and manage) SSH key authentication, another tool, PuttyGen, was created.
Even though SSH is an operating system independent communication protocol, the way the SSH keys are created differ and are not always compatible cross-system.
Error loading key: invalid format
When you receive or want to use a private key, generated by Puttygen as OPENSSH key, on a Linux machine, the key itself starts with the following line:
ck@linux $ head -n 1 privatekey.ppk -----BEGIN OPENSSH PRIVATE KEY-----
Trying to load this key into ssh-agent will fail:
ck@linux $ ssh-add privatekey.ppk Error loading key "privatekey.ppk": invalid format
We need to convert this key first into a supported type. A widely used key type is RSA.
Convert OPENSSH PPK into RSA id_rsa
To correctly convert a PuttyGen generated key, we need PuttyGen on our Linux machine. Yes, you read that right. Although the Putty tools are very well known in the Windows world, they can also be installed on Linux. On a Debian-based (such as Ubuntu or Linux Mint) machine:
ck@linux $ sudo apt install putty-tools
We can now use the puttygen command to convert the existing PuttyGen private key from OPENSSH format into a new RSA private key (with a file named id_rsa):
ck@linux $ puttygen privatekey.ppk -o id_rsa -O private-openssh Enter passphrase to load key: ***********
The private key was encoded (protected) with a passphrase, so this passphrase needs to be entered to convert the private key.
Taking a closer look at the newly created id_rsa file shows it's now a valid RSA PRIVATE KEY:
ck@linux $ head -n 5 id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2AE70D995BD60026 JOiYVtmw0u+AMbqzD8aWDSJ5nQxj+Y0FNZ7DtkCFetiS9JxQkKD8S1I9Z5ZuQJ0h
Using the RSA key
As seen above, trying to load the OPENSSH PPK key into ssh-agent (using ssh-add) wouldn't work. But now using the converted RSA key, this finally works:
ck@linux $ ssh-add id_rsa Enter passphrase for id_rsa: *********** Identity added: id_rsa (id_rsa)
Of course we can use the private key as identity file directly, without using ssh-agent in the background:
ck@linux $ ssh -i id_rsa -l myuser remoteserver.example.com
This of course also works for other SSH related commands, such as sftp or scp:
ck@linux $ sftp -i id_rsa firstname.lastname@example.org Connected to email@example.com. sftp>