Converting an OpenSSH private key if the "–o IdentificationFile" switch is used

  • 7023141
  • 29-Jun-2018
  • 05-Jul-2018


Reflection for Secure IT Client or Server for UNIX


A remote sftp server is configured with user keys authentication. When Reflection for Secure IT (RSIT) sftp applies the "–o IdentificationFile" switch, connection fails.

(For additional details on how to configure public key authentication, please review the on-line documentation:

By default, RSIT UNIX sftp client reads the “identification” file from the .ssh2 folder under the user’s home folder.  The identification files points to a private key name or a list of private key names:

      Example of file location :

      Example of identification’s content:
          IdKey PrivateKey1

If key authentication is configured correctly, and it was configured without a passphrase, the following syntax command should automatically connects the client:
    Sftp <RemoteUserId>@<RemoteSftpHost>

Additionally, the sftp client can specifically points to another “identification” file by using the “-o IdentificationFile” switch.

Using the above example, the command will look something like this:
    Sftp –o IdentificationFile=/Home/user1/.ssh2/identification <RemoteUserId>@<RemoteSftpHost>

If the default identification file contains more than one key, the client has to present each key until it finds the correct one. The “-o IdentificationFile” switch provides the ability to only check one specific key.  In the following example, a second file is added in the .ssh2 folder and called it IdentFile1:

      Example of IdentFile1:
          IdKey PrivateKey2

      Example sftp command line syntax:
          Sftp –o IdentificationFile=/Home/user1/.ssh2/IdentFile1 <RemoteUserId>@<RemoteSftpHost>

If key pair was generated by RSIT, no additional configuration is required.  However, if the client was given an OpenSSH private key to be used to connect to a remote server, the OpenSSH key will need to be converted, and the public key extracted.  Create an Identification file and point it to the converted private key. Permissions will also need to be set on the files.


To convert an OpenSSH private key:

On UNIX, cd to the folder where Reflection is installed. Look for an utility called ssh-keygen.  Use it to convert the private key to a RFC 4716 compliant format.

In this example, we will use an OpenSSH private key named PrivateKey2. (The "renaming" steps are optional.)

1. ssh-keygen –O PrivateKey2

2. Rename the PrivateKey2 to PrivateKey2.openssh

3. Rename PrivateKey2.ssh2 to PrivateKey2

4. Run ssh-keygen  -D to extract the public key:
ssh-keygen –D PrivateKey2

5. Create an identification file in the .ssh2 folder that points to a key.  It is called IdentFile1 in this example:
Echo IdKey PrivateKey2>> IdentFile1

6. Change permission to 600 for both PrivateKey2 and IdentFile1:
Chmod 600 PrivateKey2
Chmod 600 IdentFile1