OracleRAC/OL9 - GI 23.2.6.1 - sshUserSetup.sh fails with "load pubkey "/root/.ssh/id_rsa": Invalid key length"

[Project-42]

Tried to deploy OL9 version of OracleRAC using GI 23.2.6.1 and step "Setup user equivalence" failed:

    node1: -----------------------------------------------------------------
    node1: INFO: 2026-03-31 11:18:52: Setup user equivalence
    node1: -----------------------------------------------------------------
    node1: spawn /u01/app/23.2.6.1/grid/oui/prov/resources/scripts/sshUserSetup.sh -user grid -hosts rac1-node1 rac1-node2 -noPromptPassphrase -advanced
    node1: The output of this script is also logged into /tmp/sshUserSetup_2026-03-31-11-18-52.log
    node1: Hosts are rac1-node1 rac1-node2
    node1: user is grid
    node1: Platform:- Linux
    node1: Checking if the remote hosts are reachable
    node1: PING rac1-node1.localdomain (192.168.125.111) 56(84) bytes of data.
    node1: 64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=1 ttl=64 time=0.050 ms
    node1: 64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=2 ttl=64 time=0.066 ms
    node1: 64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=3 ttl=64 time=0.027 ms
    node1: 64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=4 ttl=64 time=0.028 ms
    node1: 64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=5 ttl=64 time=0.026 ms
    node1:
    node1: --- rac1-node1.localdomain ping statistics ---
    node1: 5 packets transmitted, 5 received, 0% packet loss, time 4114ms
    node1: rtt min/avg/max/mdev = 0.026/0.039/0.066/0.016 ms
    node1: PING rac1-node2.localdomain (192.168.125.112) 56(84) bytes of data.
    node1: 64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=1 ttl=64 time=1.18 ms
    node1: 64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=2 ttl=64 time=0.558 ms
    node1: 64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=3 ttl=64 time=0.523 ms
    node1: 64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=4 ttl=64 time=0.527 ms
    node1: 64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=5 ttl=64 time=0.522 ms
    node1:
    node1: --- rac1-node2.localdomain ping statistics ---
    node1: 5 packets transmitted, 5 received, 0% packet loss, time 4089ms
    node1: rtt min/avg/max/mdev = 0.522/0.661/1.179/0.258 ms
    node1: Remote host reachability check succeeded.
    node1: The following hosts are reachable: rac1-node1 rac1-node2.
    node1: The following hosts are not reachable: .
    node1: All hosts are reachable. Proceeding further...
    node1: firsthost rac1-node1
    node1: numhosts 2
    node1: The script will setup SSH connectivity from the host rac1-node1 to all
    node1: the remote hosts. After the script is executed, the user can use SSH to run
    node1: commands on the remote hosts or copy files between this host rac1-node1
    node1: and the remote hosts without being prompted for passwords or confirmations.
    node1:
    node1: NOTE 1:
    node1: As part of the setup procedure, this script will use ssh and scp to copy
    node1: files between the local host and the remote hosts. Since the script does not
    node1: store passwords, you may be prompted for the passwords during the execution of
    node1: the script whenever ssh or scp is invoked.
    node1:
    node1: NOTE 2:
    node1: AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
    node1: AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEGES TO THESE
    node1: directories.
    node1:
    node1: Do you want to continue and let the script make the above mentioned changes (yes/no)?
    node1: yes
    node1:
    node1: The user chose yes
    node1: User chose to skip passphrase related questions.
    node1: Creating .ssh directory on local host, if not present already
    node1: Creating authorized_keys file on local host
    node1: Changing permissions on authorized_keys to 644 on local host
    node1: Creating known_hosts file on local host
    node1: Changing permissions on known_hosts to 644 on local host
    node1: Creating config file on local host
    node1: If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.
    node1: Removing old private/public keys on local host
    node1: Running SSH keygen on local host with empty passphrase
    node1: Generating public/private rsa key pair.
    node1: Your identification has been saved in /root/.ssh/id_rsa
    node1: Your public key has been saved in /root/.ssh/id_rsa.pub
    node1: The key fingerprint is:
    node1: SHA256:f9flBeCv9NLzm8IrbEnCtknsEaBRWW7lWmIu0OaVEgQ root@rac1-node1
    node1: The key's randomart image is:
    node1: +---[RSA 1024]----+
[...]
    node1: |         + * = o.|
    node1: |          . ..ooo|
    node1: +----[SHA256]-----+
    node1: Creating .ssh directory and setting permissions on remote host rac1-node1
    node1: THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR grid. THIS IS AN SSH REQUIREMENT.
    node1: The script would create ~grid/.ssh/config file on remote host rac1-node1. If a config file exists already at ~grid/.ssh/config, it would be backed up to ~grid/.ssh/config.backup.
    node1: The user may be prompted for a password here since the script would be running SSH on host rac1-node1.
    node1: load pubkey "/root/.ssh/id_rsa": Invalid key length

System Information:

• Host OS: Fedora43
• Kernel version (for Linux host): 6.19.8-200.fc43.x86_64
• Vagrant version: 2.4.9
• Vagrant provider:
  libvirt:
  • Vagrant-libvirt plugin version: 0.12.2
  • QEMU and libvirt version:
    Compiled against library: libvirt 11.6.0
    Using library: libvirt 11.6.0
    Using API: QEMU 11.6.0
    Running hypervisor: QEMU 10.1.4
    Running against daemon: 11.6.0
• Vagrant project: OracleRAC/OL9

Additional info:

I tried executing thew steps manually from the vagrant VMs and having same issue.. so not sure what is missing here, but wonder if it is related to encryption parameters?

[root@rac1-node1 ~]# ${GI_HOME}/oui/prov/resources/scripts/sshUserSetup.sh -user grid -hosts "rac1-node1 rac1-node2" -advanced
The output of this script is also logged into /tmp/sshUserSetup_2026-03-31-12-30-01.log
Hosts are rac1-node1 rac1-node2
user is grid
Platform:- Linux
Checking if the remote hosts are reachable
PING rac1-node1.localdomain (192.168.125.111) 56(84) bytes of data.
64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=3 ttl=64 time=0.026 ms
64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=4 ttl=64 time=0.028 ms
64 bytes from rac1-node1.localdomain (192.168.125.111): icmp_seq=5 ttl=64 time=0.038 ms

--- rac1-node1.localdomain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4128ms
rtt min/avg/max/mdev = 0.026/0.036/0.061/0.013 ms
PING rac1-node2.localdomain (192.168.125.112) 56(84) bytes of data.
64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=1 ttl=64 time=0.511 ms
64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=2 ttl=64 time=0.619 ms
64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=3 ttl=64 time=0.540 ms
64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=4 ttl=64 time=0.540 ms
64 bytes from rac1-node2.localdomain (192.168.125.112): icmp_seq=5 ttl=64 time=0.540 ms

--- rac1-node2.localdomain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4089ms
rtt min/avg/max/mdev = 0.511/0.550/0.619/0.036 ms
Remote host reachability check succeeded.
The following hosts are reachable: rac1-node1 rac1-node2.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further...
firsthost rac1-node1
numhosts 2
The script will setup SSH connectivity from the host rac1-node1 to all
the remote hosts. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host rac1-node1
and the remote hosts without being prompted for passwords or confirmations.

NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.

NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEGES TO THESE
directories.

Do you want to continue and let the script make the above mentioned changes (yes/no)?
yes

The user chose yes
Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. no
The estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion.
Enter 'yes' or 'no'.
yes

The user chose yes
The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys.
Press 'yes', 'no' or 'change'
yes
The user chose yes
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.
Removing old private/public keys on local host
Running SSH keygen on local host
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:sPwXAi8Rsjbk5FTrkoSwQspi94T/3b5uvw9Haiuoujk root@rac1-node1
The key's randomart image is:
+---[RSA 1024]----+
|..  =.o          |
[...]
|     ++.. o+++o. |
+----[SHA256]-----+
Creating .ssh directory and setting permissions on remote host rac1-node1
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR grid. THIS IS AN SSH REQUIREMENT.
The script would create ~grid/.ssh/config file on remote host rac1-node1. If a config file exists already at ~grid/.ssh/config, it would be backed up to ~grid/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac1-node1.
load pubkey "/root/.ssh/id_rsa": Invalid key length
Warning: Permanently added 'rac1-node1' (ED25519) to the list of known hosts.
grid@rac1-node1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Done with creating .ssh directory and setting permissions on remote host rac1-node1.
Creating .ssh directory and setting permissions on remote host rac1-node2
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR grid. THIS IS AN SSH REQUIREMENT.
The script would create ~grid/.ssh/config file on remote host rac1-node2. If a config file exists already at ~grid/.ssh/config, it would be backed up to ~grid/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac1-node2.
load pubkey "/root/.ssh/id_rsa": Invalid key length
Warning: Permanently added 'rac1-node2' (ED25519) to the list of known hosts.
grid@rac1-node2: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Done with creating .ssh directory and setting permissions on remote host rac1-node2.
Copying local host public key to the remote host rac1-node1
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac1-node1.
load pubkey "/root/.ssh/id_rsa": Invalid key length

[Project-42]

Just an update on this.
I moved the vagrant.yml file to the OL8/config folder and started again using OL8 and didn't see the issue.

    node1: INFO: 2026-03-31 14:31:35: Setup user equivalence
    node1: -----------------------------------------------------------------
    node1: spawn /u01/app/23.2.6.1/grid/oui/prov/resources/scripts/sshUserSetup.sh -user grid -hosts rac1-node1 rac1-node2 -noPromptPassphrase -advanced
    node1: The output of this script is also logged into /tmp/sshUserSetup_2026-03-31-14-31-35.log
    node1: Hosts are rac1-node1 rac1-node2
[...]
    node1: Verifying SSH connectivity has been setup from rac1-node1 to rac1-node2
    node1: IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
    node1: Tue Mar 31 14:32:02 +01 2026

These are the boxes versions:

[|=| server in ~ ]$ vagrant box list
oraclelinux/8 (libvirt, 8.10.696)
oraclelinux/9 (libvirt, 9.7.688)

[|=| server in ~ ]$