Skip to main content
February 15, 2022
Question

Unable to import: Unsupported SSH key

  • February 15, 2022
  • 6 replies
  • 920 views

I'm unable to import a RSA key. The message is this:

It's a 2048 bit RSA key, generated a few years ago. It's valid for the Windows ssh client, as well as for Linux openssh.

The 1Password import first asks for the passphrase, I enter it, and the above message appears. The same message appears if I remove the passphrase and try to import the key without the passphrase. It will not ask for a passphrase in this case but display the error message right away.

So is there some constraint, some forbidden property with the key?


1Password Version: 80600026, im Kanal „BETA“
Extension Version: Not Provided
OS Version: Windows 10

6 replies

XIII
February 15, 2022

On Slack they mentioned that the public exponent might be too small (less than 65537). They follow NIST recommendations.

You can check with this command:


openssl rsa -text -in id_rsa | grep publicExponent

February 15, 2022

The key shows 37. Then I guess I have to generate a secure key. Thanks!

Suggestion for improvement: explain why an import failed. Just "invalid" or "unsupported" is not enough, otherwise its cause for confusion.

February 15, 2022

I have a similar issue. But when I enter the passphrase, I get:

We were unable to decrypt your SSH key. Try a different passphrase or select a new SSH key.

The key is encrypted using AES-128-CBC

I verified the password and obtained the decrypted key by running


$ openssl rsa -text -in id_rsa

When I copy the decrypted private key to clipboard and import from there, I get the same error as OP about unsupported key type.

The publicExponent for my key is also 37. It's a very old key of mine that was generated by PuTTY probably around 15+ years ago, and I mostly avoid using it where possible, so I should probably look at replacing it for the few remaining places where Ed25519 or ECDSA still aren't supported.

February 15, 2022

Yes, my key was also generated by puttygen from the putty package, some years ago, exported to openssh format.

I created a new 4096 bit rsa key with puttygen, this was accepted by 1Password, so I assume puttygen has been updated since then.

However, it seems state of the art are Ed25519 keys, so I will create that instead of RSA as replacement for my old key. According to what I read, these keys are supported since OpenSSH 6.5.
RHEL 7 / CentOS 7 (that's what I run on my oldest machines) comes with OpenSSH 7.4, so Ed25519 is supported. Only in case someone still has legacy machines with RHEL 6 or older, only RSA is supported.

February 16, 2022

It seems all of my current keys are having the same issue, a better message would certainly help, even to actually say that the key is no longer considered secure and a new one should be generated.

or even better allow import but mark it as weak (similar to what watchtower does to simple passwords)

K_J__1P
1Password Employee
February 16, 2022

Thanks for all of the feedback! Better error messages for import failures are a top priority for us.

Allowing import and using watchtower to inform users seems is a really great suggestion!