[Bug 3849] New: Allow private key files without a newline at the end

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jul 14 05:10:36 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3849

            Bug ID: 3849
           Summary: Allow private key files without a newline at the end
           Product: Portable OpenSSH
           Version: -current
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: yedaya.ka at gmail.com

Currently ssh and ssh-keygen don't manage to read private keys that
don't have a newline at the end. It fails with this error:
```
openssh-portable/$ ./ssh-keygen -y -f no_newline_ed25519
Load key "no_newline_ed25519": error in libcrypto
```
Adding a newline to the end fixes it:
```
openssh-portable/$ echo $'\n' >> no_newline_ed25519
openssh-portable/$ ./ssh-keygen -y -f no_newline_ed25519
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIImNVUrqnrw2eKhwaX1bGpNu3isBRESXny4NF9gjnHRi
comment
```
Earlier versions failed with an `invalid format` error.

I suggest not checking if there is a new line (\n) at the end of the
private key. This matches the behavior of openssl, and in general makes
it more user friendly. A lot of text editors don't show if there is a
newline at the end of the file, and private keys are often copied and
pasted.
See some examples for people having trouble with this behaviour:
[1][2][3][4]

>From RFC 7468[5] it seems that a new line at the end of PEM encoded
messages aren't necessary, although if I understand correctly the
openssh key format isn't strictly in PEM format.

>From looking at the code, the main change needed is to remove the '\n'
from the end of `MARK_END` in sshkey.c.

What do you think?

[1] https://github.com/semaphoreui/semaphore/issues/183
[2] https://github.com/openshift/console/issues/6858
[3] https://madhead.me/posts/private-key-newline-fuckup/
[4] https://github.com/jenkinsci/ssh-credentials-plugin/pull/33
[5] https://www.rfc-editor.org/rfc/rfc7468.html#section-3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list