diff --git a/ChangeLog b/ChangeLog
index 600311ba5..3f6e36681 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -36,6 +36,12 @@
      [sshd.8]
      fix invalid .Pf macro usage introduced in previous commit
      ok jmc@ mouring@
+   - markus@cvs.openbsd.org 2003/05/11 16:56:48
+     [authfile.c ssh-keygen.c]
+     change key_load_public to try to read a public from:
+     rsa1 private or rsa1 public and ssh2 keys.
+     this makes ssh-keygen -e fail for ssh1 keys more gracefully
+     for example; report from itojun (netbsd pr 20550).
 
 20030512
  - (djm) Redhat spec: Don't install profile.d scripts when not 
@@ -1423,4 +1429,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2686 2003/05/14 03:44:58 djm Exp $
+$Id: ChangeLog,v 1.2687 2003/05/14 03:45:22 djm Exp $
diff --git a/authfile.c b/authfile.c
index 90618efde..d563abb71 100644
--- a/authfile.c
+++ b/authfile.c
@@ -36,7 +36,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.52 2003/03/13 11:42:18 markus Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.53 2003/05/11 16:56:48 markus Exp $");
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -629,9 +629,18 @@ key_load_public(const char *filename, char **commentp)
 	Key *pub;
 	char file[MAXPATHLEN];
 
+	/* try rsa1 private key */
 	pub = key_load_public_type(KEY_RSA1, filename, commentp);
 	if (pub != NULL)
 		return pub;
+
+	/* try rsa1 public key */
+	pub = key_new(KEY_RSA1);
+	if (key_try_load_public(pub, filename, commentp) == 1)
+		return pub;
+	key_free(pub);
+
+	/* try ssh2 public key */
 	pub = key_new(KEY_UNSPEC);
 	if (key_try_load_public(pub, filename, commentp) == 1)
 		return pub;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 4bd79af6a..1d08c7cec 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.103 2003/04/08 20:21:29 itojun Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.104 2003/05/11 16:56:48 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -163,6 +163,10 @@ do_convert_to_ssh2(struct passwd *pw)
 			exit(1);
 		}
 	}
+	if (k->type == KEY_RSA1) {
+		fprintf(stderr, "version 1 keys are not supported\n");
+		exit(1);
+	}
 	if (key_to_blob(k, &blob, &len) <= 0) {
 		fprintf(stderr, "key_to_blob failed\n");
 		exit(1);