Manage SSH Key File With Passphrase

Manage SSH Key File With Passphrase

Any serious DevOps will only ssh by key file. Not with password, right? And mostly our powerful key file can unlock many critical envs. Have you ever uploaded your private key to other envs, like jumpbox? What if your key is magically stolen by hackers somehow?

Time to protect your sensitive ssh key by passphrase. And live with it, headache-free.

Manage SSH Key File With Passphrase


Original Article: http://dennyzhang.com/ssh_passphrase

Update Per Audience Feedback:

  • Thanks to Joshua Cornutt: When storing a private key on a server, I'd opt for a hardware option (HSM) since it's likely the key will need to be actively used and thus a passphrase can't be securely used (think automated use of a server-side private key) .

Cheat Sheet for impatient users. Recommend to read this post through, even for experienced users.

Name Summary
Load key file ssh-add ~/.ssh/id_rsa
Remove all loaded keys ssh-add -D
Whether it's encrypted grep "ENCRYPTED" id_rsa
Add/Change passphrase ssh-keygen -p -f id_dsa
Remove passphrase ssh-keygen -p -P $passwd -N "" -f id_rsa
Load key without prompt Check link: here

Add passphrase to existing ssh key

We can easily use ssh-keygen to add passphrase. This certainly gives us extra security benefit. Next, what's the impact of this change?

  • You never use your private key other than your computer. Right? If yes, nothing you need to worry. One tiny difference: you might be asked to input the passphrase once. Check all loaded keys by ssh-add -l.
  • In some cases, we might use key files to do passwordless login in remote servers. For example, ssh tunnel for port forwarding, ssh from jumpbox to other machines, etc. Then we have to make sure the key file is correctly loaded and recognized. Run ssh-add ./id_rsa, then input passphrase manually. This also can be done automatically. We will explain it shortly.
# Change file mode to allow overwrite
chmod 700 id_rsa

# Add passphrase to key file
ssh-keygen -p -f id_rsa

# Denny-mac:.ssh mac$ ssh-keygen -p -f id_rsa
# Key has comment 'id_rsa'
# Enter new passphrase (empty for no passp...
# Enter same passphrase again: 
# Your identification has been saved with ...

Load protected ssh key without prompt

Pity that ssh-add itself doesn't have native support for this[1]. Here is a workaround. A bit tricky, I admit.

# Specify your passphrase here
export YOUR_PASSPHRASE="XXX"

# Load protected key without prompt
echo "echo $YOUR_PASSPHRASE" > /tmp/mypass
chmod 700 /tmp/mypass
cat id_rsa| SSH_ASKPASS=/tmp/mypass ssh-add -

# Verify loaded certificate
ssh-add -l

Change passphrase for existing private key

Run below command. You will be asked to input old passphrase and new one. If the key is not encrypted, just press enter in the terminal.

ssh-keygen -p -f ~/.ssh/id_dsa

Remove passphrase

Use openssl to remove passphrase.[2] You will need to manually input old passphrase.

openssl rsa -in id_rsa -out id_rsa_new

Same can be done by ssh-keygen.[3] The amazing part is no required human intervene. Totally automated.

ssh-keygen -p -P "$OLDPASS" -N "" -f id_rsa

More Reading: Reverse SSH Tunnel: Export Your Mac Laptop To The Internet.

Footnotes:

[1] unix.stackexchange.com/questions/90853/how-can-i-run-ssh-add-automatically-without-password-prompt
[3] stackoverflow.com/questions/112396/how-do-i-remove-the-passphrase-for-the-ssh-key-without-having-to-create-a-new-ke
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
How to mount software RAID1 member using mdadm
Viewed 1474 times since Wed, Oct 3, 2018
20 Linux Command Tips and Tricks That Will Save You A Lot of Time linux
Viewed 2676 times since Thu, Apr 18, 2019
Configuring VLAN interfaces in Linux
Viewed 3084 times since Mon, May 21, 2018
18 Quick ‘lsof’ command examples for Linux Geeks
Viewed 8497 times since Sun, Jun 30, 2019
LUKS List available methods of encryption for LUKS
Viewed 1019 times since Fri, Jul 13, 2018
Tip: SSD and Linux. Enable TRIM and check if it works
Viewed 1688 times since Fri, May 15, 2020
Jak wygenerować silne hasła jednorazowe w Linuksie?
Viewed 1272 times since Thu, May 24, 2018
A Quick and Practical Reference for tcpdump
Viewed 9713 times since Fri, Jul 27, 2018
Set Up SSH Tunneling on a Linux / Unix / BSD Server To Bypass NAT
Viewed 10212 times since Fri, May 15, 2020
Tips to Solve Linux & Unix Systems Hard Disk Problems
Viewed 1288 times since Fri, May 15, 2020