How do I remove the passphrase for the SSH key without having to create a new key?

Asked 21/9, 2008 at 22:39 Answered 22/9, 2008 at 0:10

Solved unix ssh passwords openssh passphrase

1562

I set a passphrase when creating a new SSH key on my laptop. But, as I realise now, this is quite painful when you are trying to commit (Git and SVN) to a remote location over SSH many times in an hour.

One way I can think of is, delete my SSH keys and create new. Is there a way to remove the passphrase, while still keeping the same keys?

Gnu answered 21/9, 2008 at 22:39 Comment(5)

I think the strict answer is actually Torsten Marek's response. The ssh-agent trick may be what you are looking for, but it's an answer to a different question. – Dislocation 22/9, 2008 at 6:45

The passphrase is not just a key to unlock private SSH key, but a part of encryption mechanism. One part is your SSH key, other - the passphrase entered manually. Only if both parts are correct the composite key generated from them on the fly will be valid. So, other passphrase corresponds to other SSH key (and no passphrase is a special case of "other passphrase"). – Theta 19/8, 2014 at 6:59

Closing such questions is like debating wether side effects in programming languages should be allowed because they are 'pure' or not. Purists always run amok, while the others do not give a damn because it's a helpful feature and makes life easier. ssh is needed, even tough it's not strictly programming related... don't close such questions. :| – Popover 28/8, 2014 at 9:0

I agree, it is painful, and I experience it multiple times per day, too. Sometimes, though, it gives me one final chance to glance at what I'm pushing before the actual push. I do find this little command line mod helpful: coderwall.com/p/fasnya/add-git-branch-name-to-bash-prompt – Curtin 18/8, 2021 at 21:13

A better solution to your problem would be using an ssh agent (or keychain, etc) to store your credentials for the session, rather than removing the password altogether. That way you can enter it one time instead of every time. Here's how to do that in Windows: https://mcmap.net/q/12875/-why-git-can-39-t-remember-my-passphrase-under-windows – Restive 10/1, 2023 at 19:49

2831

Short answer:

$ ssh-keygen -p

This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).

If you would like to do it all on one line without prompts do:

$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.

Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.

You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.

Nadinenadir answered 21/9, 2008 at 22:42 Comment(15)

To be explicit: you can just run ssh-keygen -p in a terminal. It will then prompt you for a keyfile (defaulted to the correct file for me, ~/.ssh/id_rsa), the old passphrase (enter what you have now) and the new passphrase (enter nothing). – Emilieemiline 25/4, 2011 at 19:51

Ex. : ssh-keygen -p -P oldpassphrase -N "" -f ~/.ssh/id_rsa – Protrusion 11/5, 2016 at 17:54

ahh, use putty. Its cross platform and you get to do things via a gui. load the key and delete the password, then save privatekey :) – Koweit 29/7, 2016 at 6:44

-1 for making the user type his password in the terminal and making it accessible through ~/.bash_history. It's better to type: $ cd ~/.ssh && ssh-keygen -f id_dsa -p – Afterguard 26/9, 2016 at 17:32

You guys should note that if you enter the command to the shell started a (white)space that command is not recorded to the ~/.bash_hstory Ie. use ` ssh-keygen -p -P oldpassphrase -N "" -f ~/.ssh/id_rsa` and you are fine( unless you have other keylogger there). You could also get rid of the record from the history.. – Perretta 29/11, 2016 at 5:42

If you ever want to expunge your entire bash session from the record you can just kill -9 $$ since $$ is the current pid. – Bostow 26/1, 2017 at 17:56

@Huge, that is not universally true. I'm not denying that you system does that. But, if it does, it's because of a special configuration. – Bostow 26/1, 2017 at 17:56

@BrunoBronosky Right, HISTCONTROL environment variable drives, what formats of commands are recorded and which not. Usually it is set as HISTCONTROL=ignorespace in .bashrc as default. – Perretta 6/2, 2017 at 10:8

It may be worth adding a line saying that this will overwrite the existing file and not prompt for a new location. – Confusion 25/4, 2017 at 10:4

@Afterguard If you're going to go there then you should also point out that in e.g. X11 you can snoop all keyboard strokes (though I can't recall how exactly you still can)... And whether or not the OP is using X11 is irrelevant to my point. – Gosplan 23/10, 2018 at 12:58

@BrunoBronosky Why even bother with that? Just do history -c to clear it out. You can also if you don't care about history symlink it to /dev/null. You can also delete specific entries in the history file. You could also edit the file directly. Or maybe you mean just that session? Rereading it perhaps you mean that? – Gosplan 23/10, 2018 at 12:59

To avoid typing the new password, and thus saving it in history, could you type ssh-keygen -p -P oldpassphrase -f ~/.ssh/id_rsa and have ssh-keygen prompt for the new password? I can't see why you care about saving the old passphrase in history, since by the time ssh-keygen has finished, it's no longer valid. – Henhouse 23/10, 2019 at 18:31

The ssh-keygen gave me "Saving key "/home/myusername/.ssh/id_rsa" failed: Permission denied.". I had to give write permissions to myself by chmod u+w /home/myusername/.ssh/id_rsa first. Then I did the ssh-keygen and removed the write permissions again by chmod u-w /home/myusername/.ssh/id_rsa. – Gymnastics 13/4, 2020 at 8:39

I believe the ssh-agent is the way to go. You can take a look on this very helpfull article on how to enable it. – Greenstein 26/8, 2022 at 16:28

Rather than promoting a bad security practice (removing passphrase from the ssh key), it seems like it would be better to promote using something like ssh-agent to reduce repeated passphrase entries within the same session. – Restive 10/1, 2023 at 19:47

119

$ ssh-keygen -p worked for me

Opened git bash. Pasted : $ ssh-keygen -p

Hit enter for default location.

Enter old passphrase

Enter new passphrase - BLANK

Confirm new passphrase - BLANK

BOOM the pain of entering passphrase for git push was gone.

Thanks!

Tanker answered 21/9, 2008 at 22:39 Comment(5)

If when you hit enter for $ ssh-keygen -p and your key is not at the default location say (/Users/yourname/.ssh/id_rsa), you can respond by putting /Users/yourname/.ssh/yourkey when prompted – Elevon 15/5, 2020 at 17:36

Not a very secure practice. root can use your key without a passphrase, – Spermatogonium 25/1, 2021 at 16:12

BOOM your key is now not secure – Ramonramona 11/3, 2021 at 10:49

"root can use your key without a passphrase" add that to the list of all of the "security violations" that root can perform... if someone malicious has access to root you're in much deeper trouble. – Metapsychology 13/10, 2021 at 16:27

@Spermatogonium But if someone has root, they could also install a keylogger and get you typing your passphrase, so likely root gets your key either way. The scenario more with considering is a stolen machine that doesn't have full disk encryption. The thief would then have access to push to the repo. The extra work of typing a passphrase may or may not be worth the extra security of mitigating that scenario, it all depends on your context. – Prophase 8/8, 2023 at 21:25

You might want to add the following to your .bash_profile (or equivalent), which starts ssh-agent on login.

if [ -f ~/.agent.env ] ; then
    . ~/.agent.env > /dev/null
    if ! kill -0 $SSH_AGENT_PID > /dev/null 2>&1; then
        echo "Stale agent file found. Spawning new agent… "
        eval $(ssh-agent | tee ~/.agent.env)
        ssh-add
    fi 
else
    echo "Starting ssh-agent"
    eval $(ssh-agent | tee ~/.agent.env)
    ssh-add
fi

On some Linux distros (Ubuntu, Debian) you can use:

ssh-copy-id -i ~/.ssh/id_dsa.pub username@host

This will copy the generated id to a remote machine and add it to the remote keychain.

You can read more here and here.

Apologetic answered 22/9, 2008 at 0:10 Comment(4)

Don't modern distribution start an ssh-agent out of the box? – Conjecture 20/11, 2008 at 8:18

On some Linux distros (Ubuntu, Debian) you can use: ssh-copy-id -i ~/.ssh/id_dsa.pub username@host Assuming of course you have access that way. And although it's from 2008 it maybe should be edited to refer to id_rsa.pub (yes I could edit it but I don't feel comfortable doing that to others' works - and it esp goes for something like this). – Gosplan 23/10, 2018 at 13:1

@TroelsArvin Yes. But otoh there are times where it's killed (though the circumstance I've come across doesn't come to mind - unless maybe X11 has a problem and you have to restart it... that might be one such instance). In that case you do have to 'recreate' it. – Gosplan 23/10, 2018 at 13:3

If you load your keys into ssh-agent, then this command distributes them to the other host: ssh-copy-id user@host – Spermatogonium 9/8, 2023 at 7:19

To change or remove the passphrase, I often find it simplest to pass in only the p and f flags, then let the system prompt me to supply the passphrases:

ssh-keygen -p -f <name-of-private-key>

For instance:

ssh-keygen -p -f id_rsa

Enter an empty password if you want to remove the passphrase.

A sample run to remove or change a password looks something like this:

ssh-keygen -p -f id_rsa
Enter old passphrase: 
Key has comment 'bcuser@pl1909'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

When adding a passphrase to a key that has no passphrase, the run looks something like this:

ssh-keygen -p -f id_rsa
Key has comment 'charlie@elf-path'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

Stockjobber answered 21/9, 2008 at 22:39 Comment(0)

On the Mac you can store the passphrase for your private ssh key in your Keychain, which makes the use of it transparent. If you're logged in, it is available, when you are logged out your root user cannot use it. Removing the passphrase is a bad idea because anyone with the file can use it.

ssh-keygen -K

Add this to ~/.ssh/config

UseKeychain yes

Spermatogonium answered 21/9, 2008 at 22:39 Comment(0)

In windows for me it kept saying "id_ed25135: No such file or directory" upon entering above commands. So I went to the folder, copied the path within folder explorer and added "\id_ed25135" at the end.

This is what I ended up typing and worked:
ssh-keygen -p -f C:\Users\john\.ssh\id_ed25135

This worked. Because for some reason, in Cmder the default path was something like this C:\Users\capit/.ssh/id_ed25135 (some were backslashes: "\" and some were forward slashes: "/")

Bullfinch answered 21/9, 2008 at 22:39 Comment(0)

On windows, you can use PuttyGen to load the private key file, remove the passphrase and then overwrite the existing private key file.

Meier answered 21/9, 2008 at 22:39 Comment(0)

For me on Mac below steps solved the problem.

1> open a terminal go to users directory and enter the below command.

ssh-keygen -p

2> It will ask you

Enter file in which the key is (/Users/your user name/.ssh/id_rsa): give the file path which is shown in the round brackets.

3> Then it will ask you to enter the old passphrase. Write your old passphrase and enter. When you enter the passphrase terminal will not show anything.

4> The it will ask you to enter the new passphrase

Enter new passphrase (empty for no passphrase) If you don't want to keep any passphrase then just press enter.

5> Then again it will ask you to confirm the same passphrase

Enter same passphrase again Then again press enter.

6> Then you will get success message

Your identification has been saved with the new passphrase.

Eichler answered 21/9, 2008 at 22:39 Comment(0)

For Windows;

open a cmd screen write this and push enter.

ssh-keygen -p
cmd will ask you the old passphrase. Write your old passphrase and enter. You can't see the old passphrase when you write it.
cmd will ask you the new passphrase and its confirmation. You can let it blank.

Congratulations!!!

Chester answered 21/9, 2008 at 22:39 Comment(0)

If you have set a passphrase before and is using mac, use the keychain instead, you'll need to enter your passpharase for the last time and that's it

ssh-add --apple-use-keychain ~/.ssh/id_rsa
Enter passphrase for /Users/{{user_name}}/.ssh/id_rsa:
Identity added: /Users/{{user_name}}/.ssh/id_rsa(/Users/{{user_name}}/.ssh/id_rsa)

Montes answered 21/9, 2008 at 22:39 Comment(0)

-1

If you are using Mac

Go to .ssh folder
update config file by adding "UseKeychain yes"

Unriddle answered 21/9, 2008 at 22:39 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Submersed 5/3, 2023 at 4:40

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags