sshssh-keysssh-keygen

Changing ssh passphrase with ssh-keygen makes a change of the ssh key?


I set the passphrase of my ssh key by mistake.

But it is annoying that putting the passphrase for every time using the key.

I'd like to remove the passphrase of my key with:

$ ssh-keygen -p -f <my/key/file>

I'm afraid of that, however, the key would be changed.

The job is seemed too danger to test since I use the key in several way.

The man page says, the command would not change the key I think, but it is uncertain:

-p Requests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase.


Solution

  • Indeed, the passphrase is just a local protection for a private key file. From server-perspective, the key stays the same.

    There's no danger for you in trying. Just backup your encrypted key before conversion.


    Though the right solution is to use an authentication agent (like OpenSSH ssh-agent). With the agent, you type the passphrase only once, when loading the key into the agent.


    If you want/need an unencrypted key for some automation, the right solution is to have two keys. One encrypted for interactive use and one unencrypted for unattended use. So that in case your unencrypted key is compromised, you can cancel it without a need to replace your encrypted one.