SSH looking for id_rsa-cert get key_load_public error

Question

1) My ~/.ssh folder has the permission: drwx------. 2 user user 4.0K Aug 19 15:39 .ssh

2) I run ssh-keygen -t rsa and get the defaults files id_rsa and id_rsa.pub.

3) I copy/paste my id_rsa.pub key to GitHub SSH Keys

4) When trying to connect via ssh -i id_rsa -vT git@github.com I get the following:

OpenSSH_7.5p1, OpenSSL 1.1.0f-fips 25 May 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for * debug1: Connecting to github.com [192.30.253.113] port 22. debug1: Connection established. debug1: identity file id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.5

I'm in doubt about how to generate the id_rsa-cert file.

I tried

openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa-cert

and

openssl req -x509 -key ~/.ssh/id_rsa -nodes -days 9999 -newkey rsa:2048 -out id_rsa-cert

And it didn't work. Any tips?

Answer 1

I'm in doubt about how to generate the id_rsa-cert file.

You don't need it and certainly not for github access. The client is looking for a file named that way, but it does not mean that it is needed for normal SSH key authentication. For that, normal RSA key as you provided is enough.

Answer 2

The id_rsa-cert file is typically copied to its proper location by a systems administrator.

It's only necessary when your ssh infrastructure requires server and client keys that are signed by a Certificate Authority. I have encountered only one entity that utilized this level of security (military). Most entities will not use this feature. It's only required when someone in IT is super paranoid (military).

For more information about SSH Key Infrastructures, please follow the below link. Admittedly, it's a rather old article. Despite its relative age, it's remains applicable and relevant.

https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu