1206

I set a passphrase when creating a new SSH key on my laptop. But, as I realise now, this is quite painful when you are trying to commit (Git and SVN) to a remote location over SSH many times in an hour.

One way I can think of is, delete my SSH keys and create new. Is there a way to remove the passphrase, while still keeping the same keys?

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
btbytes
  • 75
  • 3
  • 4
  • 10
  • 9
    I think the strict answer is actually Torsten Marek's response. The ssh-agent trick may be what you are looking for, but it's an answer to a different question. – tardate Sep 22 '08 at 06:45
  • 1
    The passphrase is not just a key to unlock private SSH key, but a part of encryption mechanism. One part is your SSH key, other - the passphrase entered manually. Only if both parts are correct the composite key generated from them on the fly will be valid. So, other passphrase corresponds to other SSH key (and no passphrase is a special case of "other passphrase"). – Paul Aug 19 '14 at 06:59
  • 112
    Closing such questions is like debating wether side effects in programming languages should be allowed because they are 'pure' or not. Purists always run amok, while the others do not give a damn because it's a helpful feature and makes life easier. ssh is needed, even tough it's not strictly programming related... don't close such questions. :| – sjas Aug 28 '14 at 09:00

7 Answers7

2223

Short answer:

$ ssh-keygen -p

This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).

If you would like to do it all on one line without prompts do:

$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.

Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.

You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.

Arsen Khachaturyan
  • 6,472
  • 4
  • 32
  • 36
Torsten Marek
  • 74,426
  • 19
  • 88
  • 96
  • 474
    To be explicit: you can just run `ssh-keygen -p` in a terminal. It will then prompt you for a keyfile (defaulted to the correct file for me, `~/.ssh/id_rsa`), the old passphrase (enter what you have now) and the new passphrase (enter nothing). – Henrik N Apr 25 '11 at 19:51
  • 41
    Ex. : `ssh-keygen -p -P oldpassphrase -N "" -f ~/.ssh/id_rsa` – Fedir RYKHTIK May 11 '16 at 17:54
  • ahh, use putty. Its cross platform and you get to do things via a gui. load the key and delete the password, then save privatekey :) – Dr Deo Jul 29 '16 at 06:44
  • 25
    -1 for making the user type his password in the terminal and making it accessible through ``~/.bash_history``. It's better to type: ``$ cd ~/.ssh && ssh-keygen -f id_dsa -p`` – betoharres Sep 26 '16 at 17:32
  • 10
    You guys should note that if you enter the command to the shell started a (white)space that **command is not recorded** to the `~/.bash_hstory` Ie. use ` ssh-keygen -p -P oldpassphrase -N "" -f ~/.ssh/id_rsa` and you are fine( unless you have other keylogger there). You could also [get rid of the record from the history](http://unix.stackexchange.com/questions/49214/how-to-remove-a-single-line-from-history).. – Huge Nov 29 '16 at 05:42
  • If you ever want to expunge your entire bash session from the record you can just `kill -9 $$` since `$$` is the current pid. – Bruno Bronosky Jan 26 '17 at 17:56
  • 1
    @Huge, that is not universally true. I'm not denying that you system does that. But, if it does, it's because of a special configuration. – Bruno Bronosky Jan 26 '17 at 17:56
  • 2
    @BrunoBronosky Right, HISTCONTROL environment variable drives, what formats of commands are recorded and which not. Usually it is set as `HISTCONTROL=ignorespace` in .bashrc as default. – Huge Feb 06 '17 at 10:08
  • 17
    It may be worth adding a line saying that this will overwrite the existing file and not prompt for a new location. – Lars Francke Apr 25 '17 at 10:04
  • @betoharres If you're going to go there then you should also point out that in e.g. X11 you can snoop all keyboard strokes (though I can't recall how exactly you still can)... And whether or not the OP is using X11 is irrelevant to my point. – Pryftan Oct 23 '18 at 12:58
  • 1
    @BrunoBronosky Why even bother with that? Just do *`history -c`* to clear it out. You can also if you don't care about history symlink it to *`/dev/null`*. You can also delete specific entries in the history file. You could also edit the file directly. Or maybe you mean just that session? Rereading it perhaps you mean that? – Pryftan Oct 23 '18 at 12:59
  • To avoid typing the new password, and thus saving it in history, could you type `ssh-keygen -p -P oldpassphrase -f ~/.ssh/id_rsa` and have `ssh-keygen` prompt for the new password? I can't see why you care about saving the old passphrase in history, since by the time `ssh-keygen` has finished, it's no longer valid. – dgnuff Oct 23 '19 at 18:31
  • The ssh-keygen gave me "Saving key "/home/myusername/.ssh/id_rsa" failed: Permission denied.". I had to give write permissions to myself by `chmod u+w /home/myusername/.ssh/id_rsa` first. Then I did the ssh-keygen and removed the write permissions again by `chmod u-w /home/myusername/.ssh/id_rsa`. – David Vonka Apr 13 '20 at 08:39
62

$ ssh-keygen -p worked for me

Opened git bash. Pasted : $ ssh-keygen -p

Hit enter for default location.

Enter old passphrase

Enter new passphrase - BLANK

Confirm new passphrase - BLANK

BOOM the pain of entering passphrase for git push was gone.

Thanks!

ascripter
  • 4,220
  • 11
  • 34
  • 50
Karan
  • 31
  • 2
  • 3
42

You might want to add the following to your .bash_profile (or equivalent), which starts ssh-agent on login.

if [ -f ~/.agent.env ] ; then
    . ~/.agent.env > /dev/null
    if ! kill -0 $SSH_AGENT_PID > /dev/null 2>&1; then
        echo "Stale agent file found. Spawning new agent… "
        eval `ssh-agent | tee ~/.agent.env`
        ssh-add
    fi 
else
    echo "Starting ssh-agent"
    eval `ssh-agent | tee ~/.agent.env`
    ssh-add
fi

On some Linux distros (Ubuntu, Debian) you can use:

ssh-copy-id -i ~/.ssh/id_dsa.pub username@host

This will copy the generated id to a remote machine and add it to the remote keychain.

You can read more here and here.

Andy
  • 16,265
  • 9
  • 48
  • 69
mlambie
  • 7,336
  • 6
  • 32
  • 41
  • 7
    Don't modern distribution start an ssh-agent out of the box? – Troels Arvin Nov 20 '08 at 08:18
  • **On some Linux distros (Ubuntu, Debian) you can use: ssh-copy-id -i ~/.ssh/id_dsa.pub username@host** Assuming of course you have access that way. And although it's from 2008 it maybe should be edited to refer to id_rsa.pub (yes I could edit it but I don't feel comfortable doing that to others' works - and it esp goes for something like this). – Pryftan Oct 23 '18 at 13:01
  • @TroelsArvin Yes. But otoh there are times where it's killed (though the circumstance I've come across doesn't come to mind - unless maybe X11 has a problem and you have to restart it... that might be one such instance). In that case you do have to 'recreate' it. – Pryftan Oct 23 '18 at 13:03
11

To change or remove the passphrase, I often find it simplest to pass in only the p and f flags, then let the system prompt me to supply the passphrases:

ssh-keygen -p -f <name-of-private-key>

For instance:

ssh-keygen -p -f id_rsa

Enter an empty password if you want to remove the passphrase.

A sample run to remove or change a password looks something like this:

ssh-keygen -p -f id_rsa
Enter old passphrase: 
Key has comment 'bcuser@pl1909'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

When adding a passphrase to a key that has no passphrase, the run looks something like this:

ssh-keygen -p -f id_rsa
Key has comment 'charlie@elf-path'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
ccalvert
  • 2,108
  • 1
  • 17
  • 20
6

On the Mac you can store the passphrase for your private ssh key in your Keychain, which makes the use of it transparent. If you're logged in, it is available, when you are logged out your root user cannot use it. Removing the passphrase is a bad idea because anyone with the file can use it.

ssh-keygen -K

Add this to ~/.ssh/config

UseKeychain yes
bbaassssiiee
  • 4,879
  • 1
  • 34
  • 46
6

On windows, you can use PuttyGen to load the private key file, remove the passphrase and then overwrite the existing private key file.

Ajit Goel
  • 3,264
  • 3
  • 42
  • 77
0

In windows for me it kept saying "id_ed25135: No such file or directory" upon entering above commands. So I went to the folder, copied the path within folder explorer and added "\id_ed25135" at the end.

This is what I ended up typing and worked:
ssh-keygen -p -f C:\Users\john\.ssh\id_ed25135

This worked. Because for some reason, in Cmder the default path was something like this C:\Users\capit/.ssh/id_ed25135 (some were backslashes: "\" and some were forward slashes: "/")

Kreshel
  • 1
  • 1