When encountering the "unknown key type '-----BEGIN'" error during SSH authentication, we're typically dealing with one of three fundamental issues:

# Typical error sequence you might see
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'

The first step is verifying your private key format. Modern OpenSSH versions expect keys in PKCS#8 format rather than the traditional PEM format:

# Check your current key format
file ~/.ssh/id_rsa

# Convert legacy PEM to PKCS#8 if needed
openssl pkcs8 -topk8 -v2 des3 -in id_rsa -out id_rsa_pkcs8

Windows/Mac line endings or hidden BOM characters can corrupt key files. Use these commands to diagnose:

# Check for DOS line endings
cat -v ~/.ssh/id_rsa | grep ^M

# Convert DOS to Unix format
dos2unix ~/.ssh/id_rsa

# Check for UTF-8 BOM
head -c3 ~/.ssh/id_rsa | od -tx1

Even with perfect client setup, server-side issues can manifest similarly:

# On the server, check these settings in /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no  # For pure key-based auth

Enable maximum verbosity to pinpoint where the handshake fails:

ssh -vvv user@host

The debug output should show where exactly the key parsing fails. Look for these critical points:

• Key file loading sequence
• Protocol version negotiation
• Authentication method selection

To avoid format issues entirely, generate fresh keys with modern parameters:

ssh-keygen -t rsa -b 4096 -m PEM
# or for ed25519 (preferred)
ssh-keygen -t ed25519 -a 100

While you've checked basic permissions, these finer points often get missed:

# Home directory should not be group/world writable
chmod 755 ~

# .ssh directory must be 700
chmod 700 ~/.ssh

# Private keys must be 600
chmod 600 ~/.ssh/id_*

# authorized_keys must be 644 on server
chmod 644 ~/.ssh/authorized_keys

---

The error key_type_from_name: unknown key type '-----BEGIN' typically occurs when OpenSSH encounters difficulty parsing your private key file. While your permissions look correct (600 for private keys, 644 for public keys), the issue often lies in key formatting or compatibility.

Modern OpenSSH versions expect keys in PKCS#8 format. Convert your traditional PEM format key:

openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa_pkcs8
chmod 600 ~/.ssh/id_rsa_pkcs8

Notice how your successful connection shows compatibility mode activation:

debug1: Enabling compatibility mode for protocol 2.0

For problem servers, force this behavior by adding to your ~/.ssh/config:

Host problematic-server
    HostKeyAlgorithms ssh-rsa
    PubkeyAcceptedKeyTypes ssh-rsa

1. Verify key file integrity:

ssh-keygen -l -f ~/.ssh/id_rsa

2. Check for hidden characters (common when copying keys):

cat -v ~/.ssh/id_rsa | head -n 1

The server's sshd_config might restrict key algorithms. Check with:

ssh -Q key-sig | grep rsa

If empty, your OpenSSL version might lack RSA support.

Add -vvv to see more details about the key exchange failure:

ssh -vvv user@problematic-server

Look for lines containing no mutual signature algorithm or host key algorithms.

When all else fails, create fresh keys with modern defaults:

ssh-keygen -t rsa -b 4096 -m PEM
ssh-keygen -t ed25519  # For modern systems

Remember to update authorized_keys on all servers after key regeneration.