HomeDevOpsCouldn't load private key - Putty key format too new

Couldn't load private key - Putty key format too new

Attempting to SSH a cloud instance, you get this (or a similar) message: “couldn't load private key - Putty key format too new.” This issue happens when you use PuTTygen to generate or convert to a ppk key. Here is how to fix it. 

Background

SSH SSH (Secure Shell) is used for managing networks, operating systems, and configurations. It is also inside many file transfer tools and configuration management tools. Functionally SSH keys resemble passwords, granting access and control to who can access what. Currently, it is still extremely popular to access cloud instances.

When you create a compute instance, you must provide an SSH public key that will be used for authentication when you log in to the instance. For example, in Oracle Compute Cloud Service, you must generate your SSH key pair and upload the SSH public key before creating your instance.

However, PuTTY doesn't support the SSH private key format created by the Oracle Cloud wizards. You need to convert the private key to the PuTTY required format. To connect to a remote machine with PuTTY, your private key should have a ppk format.

Problem

Couldn't load private key - Putty key format too new

Attempting to SSH a cloud instance, you get this (or a similar) message: 

Couldn't load private key - Putty key format too new.

Couldn't load private key - Putty key format too new

When you use PuTTygen to generate or convert to a ppk key and leave PuTTygen settings as default, you might experience this issue. 

The issue/image above is from Solar-PuTTy (v3.0.1.1197), but the problem could happen using any FTTP or SSH client. For instance, In MobaXterm (Personal Edition v21.4 Built 4786), you get from the terminal: 

No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)

From PuTTy version 0.75, the program uses a new format to generate the SSH private key; it uses ppk version 3. However, PuTTY 0.74 or earlier versions can't read this format, and this can be a problem for programs that use PuTTY internally, like Solar PuTTY or MobaXtermn. If the internal PuTTY version is not compatible with PPK version 3, the program can't use keys created with a default setting of PuTTY 0.75.

Note that this is not a problem for PuTTY itself.

Other programs already use the latest ppk version 3, such as WinSCP, FileZilla, WinSSHTerm (here, the main SSH program is PuTTy), and others. I tested the newest version of the programs to date. So a quick workaround is to change to one of these programs. Soon all SSH and FTTP programs should support the latest version of PuTTy.

Solution

You can generate a new SSH key pair or change the private key format of an existing private key using PuTTygen. 

Step 1: Change the PuTTygen PPK File Version to version 2.

Run the PuTTYgen program. Go to Key > Parameters for saving key files...

Changing the Version of the SSH Private Key

Change the PuTTygen PPK File Version to version 2.

Changing the Version of the SSH Private Key

Step 2: Generate a new SSH key pair or change the format of an existing one.

After following step one, you can now generate a key using the ppk version 2. You will be able to SSH to the cloud instance. This option is better if you are just creating the cloud instance. 

Click on Generate a public or public key pair, click on Generate. Click Save private key, to save the key with the old ppk format.

Generating an SSH Key Pair for Cloud Service Instances

Or, if you have already created a cloud instance using the new ppk format (version 3), the best option is to change the format of that key and convert it to the (old) version 2. 

Click on Load and search for your ppk key (version 3). Click Save private key, to convert the key to the old ppk format.

Changing the Version of the SSH Private Key

Resources

Oracle

Juan Mulford
Juan Mulford
Hey there! I've been in the IT game for over fifteen years now. After hanging out in Taiwan for a decade, I am now in the US. Through this blog, I'm sharing my journey as I play with and roll out cutting-edge tech in the always-changing world of IT.

5 COMMENTS

  1. […] Solution – You can generate a new SSH key pair or change the private key format of an existing private key using PuTTygen. Step 1: Change the PuTTygen PPK File Version to version 2. Run the PuTTYgen program. Go to Key > Parameters for saving key files. Change the PuTTygen PPK File Version to version 2. Step 2: Generate a new SSH key pair or change the format of an existing one. After following step one, you can now generate a key using the ppk version 2. You will be able to SSH to the cloud instance. This option is better if you are just creating the cloud instance. Or, if you have already created a cloud instance using the new ppk format (version 3), the best option is to change the format of that key and convert it to the (old) version 2. – Advertisement – Click on Load and search for your ppk key (version 3). Click Save private key, to convert the key to the old ppk format. Pogledajte cijeli odgovor […]

  2. Thanks for this article, its the most clear one out there
    Navicat gives this error when trying to log in using the PPK key generated by the server, so have to re create it using puttygen as you describe. Thank You

Leave a Reply

- Advertisement -

Popular Articles

mulcas.com-Raspberry-Pi

Raspberry Pi OS in a Virtual Machine with VMware

4
Although the Raspberry Pi OS is designed and optimized for the Raspberry Pi module, it is possible to test and use it without its hardware, with VMware. This solution can be useful if you are a developer (or just a curious guy) and don't have a Raspberry Pi module with you
Unable to delete inaccessible datastore

Unable to delete an "inaccessible" datastore

7
I was switching my storage array, so I migrated the VMs from that old datastore/storage to a new datastore/storage. The old datastore was shared by 3 ESXi hosts, no cluster. After migrating the VMs and unmount/delete the datastore, it was still presented in two of the ESXi hosts and was marked as inaccessible.
This is not a valid source path / URL

This is not a valid source path / URL - SourceTree and Gitlab

1
I have been working on a project with a friend who set up a repository in Gitlab but even though I was able to view all projects on it, I couldn’t really join the repository. I was using SourceTree and Gitlab.
mulcas.com-VMware-OVF-Tool

How to export a Virtual Machine using the VMware OVF Tool

9
The VMware OVF Tool is implemented by VMware for easily importing and exporting virtual machines in Open Virtualization Format (OVF) standard format. Here, I want to show you how to download and install it, and then how to use it from a Windows machine.
WinSCP VCSA

Unable to Access the VCSA 6.7 via WinSCP

9
One of the many and easiest ways to get the logs from the ESXi hosts and vCenter Server Appliance (VCSA), is accessing directly to the files directory using tools such as WinSCP, which helps to transfer the files between a local and a remote computer ( Ex. VCSA). I never have had issues with the ESXi hosts and WinSCP, however, trying to access the VCSA is a different story.
- Advertisement -

Recent Comments