GP SoftwareTwitter
Opus FAQsManualCommandsObjects

SFTP Keyfile Format / Connection not possible?

Hello,
I have set up my Raspberry with SSH and Keyfile login (password protected).
I have used WinSCP, it took my private OpenSSH Keyfile (format) and converted it into a Putty format key. I have now tried both key formats but I can't log into my Raspberry. I don't get the prompt for the Keyfile password.

Log:
Server version: SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 -
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users-----\Documents\SSH-Identity\Identity.ppk"
Unable to load private key (file format error)
Disconnected: No supported authentication methods available (server sent: publickey)
SSH: Fatal: Disconnected: No supported authentication methods available (server sent: publickey)
Connection closed

If I use the OpenSSH-2 Key format, similar message:
Unable to use this key file (OpenSSH SSH-2 private key)

Try using PuttyGen to convert the key file to Putty format. That's what I've used in the past and it worked:

Still doesn't work. I tried the already converted key from WinSCP, then the original keyfile.
Unable to load private key (file format error)
Disconnected: No supported authentication methods available (server sent: publickey)
SSH: Fatal: Disconnected: No supported authentication methods available (server sent: publickey)

Is this maybe a problem? ssh-ed25519

Does the key file you have load OK into Putty/Pageant?

Without any issue. I can also load the original keyfile and get the message "Successfully imported foreign key (OpenSSH SSH-2 private key (new format))..."

I can also load the keyfile converted automatically via WinSCP

If you want to create a dummy key in the same format and post it here we can try to work out why it's not working.

Hello,
I have created a keypair. It has the private and public key, also one already converted with Puttygen.
Password for private key is "test"

Identity.zip (1.1 KB)

Any news on this?

Hi, I have the same problem with using my SSH private keys. I generated mine using ssh-keygen long time ago and tried the conversion with puttygen to putty's own format. Both file formats throw errors in DOpus' FTP Log.

I have several different servers to test the FTP feature with.

This is the FTP log for three different server connect attempts using the SFTP protocol.

Server A

Opening Connection XXXXXXXX
Server version: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 XXXXXXXXXX
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users\XXXXXXXXXX"
Unable to use this key file (OpenSSH SSH-2 private key)
Disconnected: No supported authentication methods available (server sent: publickey)
SSH: Fatal: Disconnected: No supported authentication methods available (server sent: publickey)
Connection closed

Server B

Opening Connection XXXXXXXXXX
Server version: SSH-2.0-OpenSSH_7.4
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 XXXXXXXXXXXXXX
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users\XXXXXXXXXXXXXXX"
Unable to use this key file (OpenSSH SSH-2 private key)
Disconnected: Unable to authenticate
SSH: Unable to authenticate
Connection closed

Server C

Opening Connection XXXXXXXXXXXXXX
Server version: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u8
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 XXXXXXXXXXXXX
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users\XXXXXXXXXXXXX"
Unable to use this key file (OpenSSH SSH-2 private key)
Disconnected: Unable to authenticate
SSH: Unable to authenticate
Connection closed

BTW:
While editing my FTP bookmarks I also noticed that changes are not really applied in a Listener window. I had to refresh the window by hitting F5. Just a heads up and maybe something that could be fixed in a future update. :wink:

That keyfile is in the wrong format. It needs to be converted to the Putty format.

Sure, so I changed all the server bookmarks to use the converted ssh key (putty file format) now:

Server A

Opening Connection XXXXXXXX
Server version: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 XXXXXXXXXXX
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users\XXXXXXXXXXXXXX"
Offered public key
Server refused our key
Disconnected: No supported authentication methods available (server sent: publickey)
SSH: Fatal: Disconnected: No supported authentication methods available (server sent: publickey)
Connection closed

Server B

Opening Connection XXXXXXX
Server version: SSH-2.0-OpenSSH_7.4
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 XXXXXXXXX
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users\XXXXXXXXXX"
Offered public key
Server refused our key
Disconnected: Unable to authenticate
SSH: Unable to authenticate
Connection closed

Server C

Opening Connection XXXXXXXXXX
Server version: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u8
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 XXXXXXXXXXX
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "C:\Users\XXXXXXXXXXX"
Offered public key
Server refused our key
Disconnected: Unable to authenticate
SSH: Unable to authenticate
Connection closed

Oh wait ... is this basically a totally different key pair now? Like should I put the putty's pub key on my servers?

Haha, that worked... I didn't realize that converting the key pair would result in a new one. :smiley:

Hold on, is this the solution? But why would converting the they keyfile result in completely new keys?

So everytime I would have to generate the keys two times and keep two set of keys around?

Then why is WinSCP perfectly capable of handling the access once it converted the keyfile for itself?

AFAIK the server side key should not need to change (unless there's more to the issue than just the client side key format; e.g. it may be using a different algorithm or something as well).

When I've done this with my own keys/servers, I only had to make the server side key once, then converted the client side key to the putty format. (At least as far as I can remember. It was a few years ago.)

The version of Putty that Opus uses for FTP doesn't support that key algorithm (ssh-ed25519). It only supports RSA and DSS.

How old is the putty version you use? I found that Putty supports these types of keys since at least 2015(!).
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ed25519.html

That change was committed in 2015 but not released in Putty 0.68 until 2017.

(Still, we are on an old version of the code and should update it.)

This surprised me as well. My understanding is that the key should only be transformed into another file format instead of creating an unrelated or maybe even derived key pair.