PEM_read_PrivateKey failed SSH error

I just spent 20 minutes trying to figure out why my passwordless SSH wasn’t working. I’ve done it dozens of times, but this time it wasn’t working and none of the Google results had a solution that helped.

It turns out I was pointing to the public key instead of the private key.

Short summary: Don’t point to the .pub keyfile with IdentityFile in .ssh/config.

A lot of the solutions I found were related to invalid keyfiles, but I’d generated the key with ssh-keygen on that machine, so I was fairly confident the keys were valid.

If you’re having the same problem, use

ssh -vvv

to get more debugging info.

If this saves someone else 20 minutes, my wasted time will not have been in vain.


 (Post a comment) | Comments RSS feed
  1. Thanks man. I was beating my head on this as well; also had IdentityFile pointing at the .pub.

    Comment by Brian Dunn on February 17, 2011 @ 9:08 am
  2. I’m glad this helped.

    Comment by Dan on February 17, 2011 @ 9:18 am
  3. I am running Centos 5.5. Had the issue above. As long as I specified a passphrase with ssh-keygen, publickey never worked. If I use a blank passphrase, it works first time, every time.

    Comment by Bill Cunningham on April 4, 2011 @ 11:06 am
  4. @Bill Cunningham Thanks for the additional data point.

    Comment by Dan on April 4, 2011 @ 11:56 am
  5. Found this after running ssh with the ‘-v’ option, and scroogling for ‘PEM_read_PrivateKey failed.’ Appreciate the information, I can’t believe I made such a rookie mistake!

    Thanks for the help.

    Comment by Mike Davis on April 7, 2011 @ 3:32 am
  6. @Mike I felt the same way :)

    Comment by Dan on April 7, 2011 @ 9:11 am
  7. My problem was completely different, but the ‘ssh -vvv’ tip helped me find it. I was using ‘ssh -v’ and that wasn’t enough verbosity to reveal the problem, but I saw it when running ‘ssh -vvv’. Thanks for the tip!

    Comment by Anon on April 12, 2011 @ 11:04 am
  8. @Anon No problem.

    Comment by Dan on April 12, 2011 @ 12:19 pm
  9. Thank You!

    Comment by Javix on July 13, 2011 @ 3:20 pm
  10. @Javix No problem.

    Comment by Dan on July 13, 2011 @ 3:22 pm
  11. Chalk up another “Thank you.” D’oh!

    Comment by Todd on August 30, 2011 @ 12:02 pm
  12. I’ll toss another “Thank you” in basket. Cheers!

    Comment by Ed on October 3, 2011 @ 12:34 pm
  13. Thank you!

    *Why can’t I remember this?*

    Comment by William Notowidagdo on November 24, 2011 @ 11:51 pm
  14. A big thanks from me too Dan, seems to happen to load of people who fail to see the very obvious like myself

    Comment by Jonathan on March 31, 2012 @ 12:47 am
  15. @Jonathan Thanks for your comment. In our defense, the error message could be far more clear.

    Comment by Dan on March 31, 2012 @ 10:10 pm
  16. I had the same error, different reason. I needed to create the keys with a blank passphrase. Then SSH and SFTP worked. This link helped me:

    Comment by Greg Burdett on May 2, 2012 @ 11:27 am
  17. @Greg Why did you need to use a blank passphrase? It’s highly recommended to use a passphrase because it’s more secure, and you certainly won’t get this error just because you use a passphrase.

    Comment by Dan on May 2, 2012 @ 11:40 am
  18. thanks for the -vvv that really helped me

    I had a different issue but I thought I’d post it here for the next person

    I was getting this error “PEM_read_PrivateKey failed”

    I was a client and I had a private key from the host

    but the host had put a passphrase on the private key

    everytime I did sftp it asked for the passphrase, but it never asked for the password

    it turns out I had to use ssh-keygen -p –> I used that to create a new private key without a passphrase and then it all worked out fine

    most the posts I read talked about generating a key and putting it on the host but I didn’t have that option, all I had was a private key from the host

    Comment by Peter on July 18, 2012 @ 8:23 pm
  19. @Peter Thanks for sharing another potential cause of this error.

    Comment by Dan on July 19, 2012 @ 12:54 pm
  20. haha, I feel so stupid!


    Comment by Simon on August 13, 2012 @ 11:16 pm
  21. @Simon Don’t beat yourself up – the error could be far more clear. And if dozens of people encounter the same problem, it’s a design flaw, not stupidity.

    Comment by Dan on August 14, 2012 @ 10:41 pm
  22. Just found another cause for this error.
    Logging into a centos/rhel sshd server, the authorized_keys file should be named authorized_keys (well duh).
    But I copied the _keys file from a debian server, where it was named authorized_keys2. Rename it without the 2… and now Bob’s your ex prime minister.

    Comment by Pete on September 21, 2012 @ 2:44 am
  23. @Pete Thanks for the additional cause.

    Comment by Dan on October 4, 2012 @ 12:53 am
  24. Another thank you!

    I wonder though, how on earth pointing to the .pub file causes it to work perfectly a few times, and then stop working? Also, it seems like the permissions on the key files were altered from 600 to 664, maybe that has something to do with it?

    Comment by Mark on October 31, 2012 @ 1:44 pm
  25. I unable to use my private key with ssh on mac after I use bitvise tunnelier from windows (with the same key file). I guess my key file corrupted, I have this error, “missing with space” and “not a RSA1 key file…”

    I wonder if bitvise was the cause for this. Can anyone help me?

    Comment by nauval on November 17, 2012 @ 11:47 pm
  26. I’ve spent 20+ hours on this problem! Many thanks for your tip!!!!!!!!

    Comment by NYC on January 10, 2013 @ 10:29 pm
  27. @NYC That’s why I posted it, I’m glad to hear it helped you figure it out :)

    Comment by Dan on January 11, 2013 @ 10:33 am
  28. You just saved me a day of head banging.
    Thanks. :-)

    Comment by SL on July 11, 2013 @ 8:33 am
  29. @SL You’re welcome, that’s what I love to hear!

    Comment by Dan on July 11, 2013 @ 10:24 am
  30. I am using ubuntu 12.x and facing exactly same issue.
    I generated the rsa key ( ssh-keygen -t rsa -b 4096 )
    Copied the to authorized_keys and set the permissions as follows
    700 for home and .ssh
    600 for id_rsa and
    640 for and authorized_keys
    set the PasswordAuthentication on in /etc/ssh/sshd_config file
    set the ChallengeResponseAuthentication no
    set the UsePAM yes
    restarted ssh ( service ssh restart )
    All I am doing is to do the ssh from the localhost to localhost only and it fails. I did the same to do ssh to another host that too failed. Have spend enough time on this but hitting the wall again. I hoped that this guide will help me get the solution, but that too in vain. What silly mistake I am making, please guide.

    Comment by Udai on September 21, 2013 @ 2:42 am
  31. @Udai Assuming you’re pointing at the private key in the IdentityFile, try running ssh -vvv to see what’s going wrong. It’s extremely verbose output, but should show you exactly where it’s failing in the login process.

    Comment by Dan on September 21, 2013 @ 3:05 pm
  32. Nice that this pops up in google for a search on pem_read_privatekey failed : 2 of us were scratching our heads re why the passwordless SSH wasn’t working. using -i .ssh/ will do that… we both looked right through that, it took your page for the lightbulb to go on.

    Comment by swy on October 2, 2013 @ 5:00 pm
  33. @swy Yeah, I included the error message that I got in the hopes that it would show up for other users searching for it.

    Comment by Dan on October 2, 2013 @ 8:31 pm

    You just saved my sanity.

    Thanks for posting this.

    Comment by murph on November 8, 2013 @ 10:47 am
  35. @murph You’re welcome. Any amount of sanity saved is a good thing in my book.

    Comment by Dan on November 8, 2013 @ 11:43 am
  36. thank you very much for the solution !!
    Unfortunately I had spent days already figuring this out :(

    Comment by avinash on February 10, 2014 @ 10:26 am
  37. Wow. Thanks so much!

    I thought it was my keys as well. Recreated them several times on my local machine and my external server.

    I also searched the error message (finally), and glad you’re at the top of the results.

    Comment by Geoff on April 21, 2014 @ 3:58 pm
  38. @Geoff That’s great you found it helpful :)

    Comment by Dan on April 21, 2014 @ 3:59 pm
  39. You are the man! Thanks for saving me a ton of time.

    Comment by Paul on July 10, 2014 @ 3:18 pm
  40. @Paul You’re welcome ;)

    Comment by Dan on July 10, 2014 @ 5:05 pm
  41. Great post man, I was wondering what did I do wrong for days!! cheers

    Comment by Amir on December 5, 2014 @ 2:15 am
  42. Hai ,

    I am a newbie to ssh an i believe i am facing similar issue , can some one please explain what is an identity file is all about and where is it located , as in my server it is not located under ~/.ssh/config

    Comment by Chandra Sekhar Pola on December 13, 2014 @ 3:06 pm
  43. Thanks! I spent the last 30 mins on it buddy :) Happy that I found this article.

    Comment by Damian on December 30, 2014 @ 1:31 pm
  44. @Damian I’m glad it helped!

    Comment by Dan on December 30, 2014 @ 4:53 pm
  45. Thank you, banging my head of the wall there for a bit

    Comment by Donal on April 20, 2015 @ 5:41 am
  46. Thank you though i was going to (╯°□°)╯︵ ┻━┻

    Comment by James on August 6, 2015 @ 10:24 am
  47. I also had this problem. It was caused by my use of the options ‘-o -a 256’ on ssh-keygen when I originally created my keys. These options generate a keyfile that is not compatible with old versions of ssh (<v6.5).

    I fixed the problem by regenerating the keys without including these options when I ran ssh-keygen.


    Comment by August on October 26, 2015 @ 4:17 pm
  48. Sir,

    You time was well spent. Thank you!


    Comment by Todd on January 9, 2016 @ 1:25 am
  49. Glad to hear it :)

    Comment by Dan on January 10, 2016 @ 1:03 pm
  50. Thank you very much. Seriosly, man! That aweseome. I spent whole day for that shit!

    Comment by Seanmephi on April 25, 2016 @ 2:02 pm
  51. @Seanmephi Glad it helped in the end :)

    Comment by Dan on April 25, 2016 @ 4:54 pm
  52. Thanks Buddy, it was really helpful.

    Comment by Bharath Kumar S on August 31, 2016 @ 9:32 am

Comments are closed