Cyberduck Mountain Duck CLI

#1741 closed defect (worksforme)

SFTP fails when using public key, invalid PEM structure

Reported by: dguido Owned by: dkocher
Priority: normal Milestone:
Component: sftp Version: 3.1.2
Severity: normal Keywords: sftp, pubkey, privkey, publickey, public, PEM, invalid, private
Cc: Architecture:
Platform:

Description

Cyber cannot login to my ssh server when using public key authentication. It fails with an error "Invalid PEM structure, '-----BEGIN...' missing"

I have verified that I can log into the sftp server in question using 'sftp' and 'WinSCP'. Additionally, Cyberduck can log into the ssh server when I am using password authentication.

The ssh server is a bit of a rarity, it's an embedded ARM-based NAS running Linux. I'm using OpenSSH 4.7p1 with it. Please contact me if you need more info or want to use my server to test. I can't find out how to get better logs out of Cyberduck.

Change History (23)

comment:1 Changed on Feb 4, 2008 at 10:38:28 AM by dguido

I should also mention that the same set of public/private keys work for other servers.

comment:2 Changed on Feb 4, 2008 at 11:58:49 AM by dkocher

Make sure you select the private key enclosed with the PEM structure.

comment:3 Changed on Feb 4, 2008 at 5:00:35 PM by anonymous

Wow, I feel stupid. It was because I was trying to authenticate with the public key instead of the private key like I should have been. Cyberduck really ought to extend that error message to say "Are you sure you're using a private key?" I'm willing go bet that 99% of the time that's what a user does, but the error message doesn't make that immediately clear.

Thanks!

comment:4 follow-up: Changed on Feb 4, 2008 at 5:27:39 PM by dkocher

  • Resolution set to worksforme
  • Status changed from new to closed

comment:5 in reply to: ↑ 4 Changed on May 21, 2008 at 5:23:01 PM by carol

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Replying to dkocher:

hello, i'm having same problem with 'invalid PEM structure' errors using a key. i'm using a private key. not sure why i can't connect. any advice greatly appreciated. best, carol

comment:6 follow-up: Changed on May 21, 2008 at 7:29:49 PM by dkocher

  • Resolution set to worksforme
  • Status changed from reopened to closed

Maybe you are using a key generated by Putty SSH. It must be in the OpenSSH format.

comment:7 Changed on Feb 20, 2009 at 2:02:51 PM by drm

  • Resolution worksforme deleted
  • Status changed from closed to reopened

I'm connecting to a SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.6 server using cyberduck 3.1.2 (4500), and get the error described above.

I'm definitely using a private key (has the ------BEGIN... structure). I can connect with command-line ssh and sftp.

I re-generated my server keys using ssh-keygen on the debian server, so I'm not using puttyssh. I get the error whether or not I try to authenticate using my client public key or by password (both work with the command-line client).

I can provide logs and debugging info -- mail dylan richard muir at gmail.com, with dots in between the names.

Thanks, DRM

comment:8 Changed on Feb 20, 2009 at 2:03:59 PM by DRM

  • Version changed from 2.8.4 to 3.1.2

comment:9 Changed on Feb 20, 2009 at 2:15:03 PM by DRM

I can connect using a local DSA private key, but by default cyberduck is trying to use ~/.ssh/identity as a private key. When I try to disable the use of this key, I think cyberduck may be using it anyway (hence the "no PEM stucture" error). I guess this is the cause of my problem. This bug should be "can't de-select a private key".

DRM

comment:10 Changed on Apr 27, 2009 at 8:01:55 AM by dkocher

#2934 closed as duplicate.

comment:11 Changed on Apr 27, 2009 at 8:02:29 AM by dkocher

#3134 closed as duplicate.

comment:12 Changed on Dec 21, 2009 at 4:01:03 PM by john@…

I can confirm this issue in r5621 in OS X 10.6.2. Giving it ~/.ssh/id_dsa (for example) fails, but copying that private key to ~/.ssh/identity and using that succeeds.

comment:13 follow-up: Changed on Jan 9, 2010 at 5:44:50 PM by ikke@…

I also confirm this bug. Versio 3.3 (5552) + Leopard 10.5.8 ppc

comment:14 in reply to: ↑ 13 Changed on Jan 9, 2010 at 6:23:22 PM by dkocher

Replying to ikke@…:

I also confirm this bug. Versio 3.3 (5552) + Leopard 10.5.8 ppc

Please post the exact error message.

comment:15 follow-up: Changed on Jan 9, 2010 at 7:47:04 PM by ikke@…

Sorry, I take it back. No bug after all. Idiot user instead... :(

I selected the public key instead of private key. The Finnish translation has check box to use public key method, and after checking it it opens the browser for private key. It just doesn't mention that it's browsing private key instead of public key. Actually it doesn't mention what it's browsing. I didn't notice it asks for private key while clicking the public key method. I selected the public key id_dsa.pub. Only after while I noticed it mentiones the private key below the public key check-box.

So confirming then that there is no bug after all :) . Since it checks the private key at connection time anyway, it could perhaps do it already at the time one selects the file and complain immediately. Then users like me would not waste your time... :)

The exact error message would have been: "Invalid PEM structure, '-----BEGIN...' missing.". Sorry for trouble.

comment:16 in reply to: ↑ 15 Changed on Jan 9, 2010 at 10:08:47 PM by dkocher

  • Resolution set to worksforme
  • Status changed from reopened to closed

Replying to ikke@…:

Sorry, I take it back. No bug after all. Idiot user instead... :(

I selected the public key instead of private key. The Finnish translation has check box to use public key method, and after checking it it opens the browser for private key. It just doesn't mention that it's browsing private key instead of public key. Actually it doesn't mention what it's browsing. I didn't notice it asks for private key while clicking the public key method. I selected the public key id_dsa.pub. Only after while I noticed it mentiones the private key below the public key check-box.

So confirming then that there is no bug after all :) . Since it checks the private key at connection time anyway, it could perhaps do it already at the time one selects the file and complain immediately. Then users like me would not waste your time... :)

The exact error message would have been: "Invalid PEM structure, '-----BEGIN...' missing.". Sorry for trouble.

It is easily mistakable because the authentication method is titled Public Key Authentication but what you have to choose from the browse dialog is the private key. We should set a prompt text in the panel.

comment:17 follow-up: Changed on Jan 10, 2010 at 1:39:33 PM by dkocher

We provide a message text in the open dialog as of r5713.

comment:18 in reply to: ↑ 17 Changed on Jan 10, 2010 at 1:40:51 PM by dkocher

Replying to dkocher:

We provide a message text in the open dialog as of r5713.

It says Select the private key in PEM format. Localization pending. See r5711.

comment:19 Changed on Jan 12, 2010 at 7:55:14 AM by ikke@…

Thanks, that clears it up. As a counter offer :) , The Finnish translation would be

trunk/fi.lproj/Credentials.strings, line 21:

"Select the private key in PEM format" = "Valitse PEM-muotoinen henkilökohtainen avain";

comment:20 in reply to: ↑ 6 ; follow-up: Changed on May 5, 2010 at 9:18:20 PM by pax@…

Replying to dkocher:

Maybe you are using a key generated by Putty SSH. It must be in the OpenSSH format.

How can you check this? - which standard does my key use? I honestly don't remember how I have created it.

As I get the same error "Invalid PEM structure, '-----BEGIN...' missing."

I have Cyberduck Version 3.4.2 (5902) on OS X 10.5.8

comment:21 in reply to: ↑ 20 ; follow-up: Changed on May 14, 2010 at 10:17:19 AM by anonymous

Replying to pax@…:

Replying to dkocher:

Maybe you are using a key generated by Putty SSH. It must be in the OpenSSH format.

How can you check this? - which standard does my key use? I honestly don't remember how I have created it.

As I get the same error "Invalid PEM structure, '-----BEGIN...' missing."

I have Cyberduck Version 3.4.2 (5902) on OS X 10.5.8

Any news on this ? I've generated my public key with: openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/mykey.public -pubout -outform PEM

But I still have the "begin missing" error. I'd really like to use cyberduck as a sftp client. Version 3.42, osx 10.63

comment:22 in reply to: ↑ 21 Changed on May 14, 2010 at 4:40:18 PM by anonymous

Replying to anonymous:

Replying to pax@…:

Replying to dkocher:

Maybe you are using a key generated by Putty SSH. It must be in the OpenSSH format.

How can you check this? - which standard does my key use? I honestly don't remember how I have created it.

As I get the same error "Invalid PEM structure, '-----BEGIN...' missing."

I have Cyberduck Version 3.4.2 (5902) on OS X 10.5.8

Any news on this ? I've generated my public key with: openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/mykey.public -pubout -outform PEM

But I still have the "begin missing" error. I'd really like to use cyberduck as a sftp client. Version 3.42, osx 10.63

Oh well never mind. It was a problem on the server side. The error message is kinda misleading tho...

comment:23 Changed on Apr 28, 2012 at 2:43:18 PM by Theparadigm

I've had this a few times also due to server issues or key issues. Please change the error message!

Note: See TracTickets for help on using tickets.
swiss made software