1515

I set a passphrase when creating a new SSH key on my laptop. But, as I realise now, this is quite painful when you are trying to commit (Git and SVN) to a remote location over SSH many times in an hour.

One way I can think of is, delete my SSH keys and create new. Is there a way to remove the passphrase, while still keeping the same keys?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
btbytes
  • 85
  • 3
  • 4
  • 10
  • 13
    I think the strict answer is actually Torsten Marek's response. The ssh-agent trick may be what you are looking for, but it's an answer to a different question. – tardate Sep 22 '08 at 06:45
  • 1
    The passphrase is not just a key to unlock private SSH key, but a part of encryption mechanism. One part is your SSH key, other - the passphrase entered manually. Only if both parts are correct the composite key generated from them on the fly will be valid. So, other passphrase corresponds to other SSH key (and no passphrase is a special case of "other passphrase"). – Paul Aug 19 '14 at 06:59
  • 140
    Closing such questions is like debating wether side effects in programming languages should be allowed because they are 'pure' or not. Purists always run amok, while the others do not give a damn because it's a helpful feature and makes life easier. ssh is needed, even tough it's not strictly programming related... don't close such questions. :| – sjas Aug 28 '14 at 09:00
  • I agree, it is painful, and I experience it multiple times per day, too. Sometimes, though, it gives me one final chance to glance at what I'm pushing before the actual push. I do find this little command line mod helpful: https://coderwall.com/p/fasnya/add-git-branch-name-to-bash-prompt – David Aug 18 '21 at 21:13
  • A better solution to your problem would be using an ssh agent (or keychain, etc) to store your credentials for the session, rather than removing the password altogether. That way you can enter it one time instead of every time. Here's how to do that in Windows: https://stackoverflow.com/a/58784438/936083 – Casey Kuball Jan 10 '23 at 19:49

11 Answers11

2758

Short answer:

$ ssh-keygen -p

This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).

If you would like to do it all on one line without prompts do:

$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.

Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.

You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.

Arsen Khachaturyan
  • 7,904
  • 4
  • 42
  • 42
Torsten Marek
  • 83,780
  • 21
  • 91
  • 98
  • 499
    To be explicit: you can just run `ssh-keygen -p` in a terminal. It will then prompt you for a keyfile (defaulted to the correct file for me, `~/.ssh/id_rsa`), the old passphrase (enter what you have now) and the new passphrase (enter nothing). – Henrik N Apr 25 '11 at 19:51
  • 51
    Ex. : `ssh-keygen -p -P oldpassphrase -N "" -f ~/.ssh/id_rsa` – Fedir RYKHTIK May 11 '16 at 17:54
  • ahh, use putty. Its cross platform and you get to do things via a gui. load the key and delete the password, then save privatekey :) – Dr Deo Jul 29 '16 at 06:44
  • 33
    -1 for making the user type his password in the terminal and making it accessible through ``~/.bash_history``. It's better to type: ``$ cd ~/.ssh && ssh-keygen -f id_dsa -p`` – betoharres Sep 26 '16 at 17:32
  • 20
    You guys should note that if you enter the command to the shell started a (white)space that **command is not recorded** to the `~/.bash_hstory` Ie. use ` ssh-keygen -p -P oldpassphrase -N "" -f ~/.ssh/id_rsa` and you are fine( unless you have other keylogger there). You could also [get rid of the record from the history](http://unix.stackexchange.com/questions/49214/how-to-remove-a-single-line-from-history).. – Huge Nov 29 '16 at 05:42
  • If you ever want to expunge your entire bash session from the record you can just `kill -9 $$` since `$$` is the current pid. – Bruno Bronosky Jan 26 '17 at 17:56
  • 2
    @Huge, that is not universally true. I'm not denying that you system does that. But, if it does, it's because of a special configuration. – Bruno Bronosky Jan 26 '17 at 17:56
  • 2
    @BrunoBronosky Right, HISTCONTROL environment variable drives, what formats of commands are recorded and which not. Usually it is set as `HISTCONTROL=ignorespace` in .bashrc as default. – Huge Feb 06 '17 at 10:08
  • 19
    It may be worth adding a line saying that this will overwrite the existing file and not prompt for a new location. – Lars Francke Apr 25 '17 at 10:04
  • @betoharres If you're going to go there then you should also point out that in e.g. X11 you can snoop all keyboard strokes (though I can't recall how exactly you still can)... And whether or not the OP is using X11 is irrelevant to my point. – Pryftan Oct 23 '18 at 12:58
  • 2
    @BrunoBronosky Why even bother with that? Just do *`history -c`* to clear it out. You can also if you don't care about history symlink it to *`/dev/null`*. You can also delete specific entries in the history file. You could also edit the file directly. Or maybe you mean just that session? Rereading it perhaps you mean that? – Pryftan Oct 23 '18 at 12:59
  • To avoid typing the new password, and thus saving it in history, could you type `ssh-keygen -p -P oldpassphrase -f ~/.ssh/id_rsa` and have `ssh-keygen` prompt for the new password? I can't see why you care about saving the old passphrase in history, since by the time `ssh-keygen` has finished, it's no longer valid. – dgnuff Oct 23 '19 at 18:31
  • The ssh-keygen gave me "Saving key "/home/myusername/.ssh/id_rsa" failed: Permission denied.". I had to give write permissions to myself by `chmod u+w /home/myusername/.ssh/id_rsa` first. Then I did the ssh-keygen and removed the write permissions again by `chmod u-w /home/myusername/.ssh/id_rsa`. – David Vonka Apr 13 '20 at 08:39
  • I believe the `ssh-agent` is the way to go. You can take a look on [this very helpfull article](https://readforlearn.com/starting-ssh-agent-on-windows-10-fails-unable-to-start-ssh-agent-service-error-1058/) on how to enable it. – Eduardo Pacheco Aug 26 '22 at 16:28
  • 1
    Rather than promoting a bad security practice (removing passphrase from the ssh key), it seems like it would be better to promote using something like `ssh-agent` to reduce repeated passphrase entries within the same session. – Casey Kuball Jan 10 '23 at 19:47
111

$ ssh-keygen -p worked for me

Opened git bash. Pasted : $ ssh-keygen -p

Hit enter for default location.

Enter old passphrase

Enter new passphrase - BLANK

Confirm new passphrase - BLANK

BOOM the pain of entering passphrase for git push was gone.

Thanks!

ascripter
  • 5,665
  • 12
  • 45
  • 68
Karan
  • 31
  • 1
  • 2
  • 3
  • 1
    If when you hit enter for `$ ssh-keygen -p` and your key is not at the default location say (/Users/yourname/.ssh/id_rsa), you can respond by putting `/Users/yourname/.ssh/yourkey` when prompted – Chigozie Orunta May 15 '20 at 17:36
  • 1
    Not a very secure practice. root can use your key without a passphrase, – bbaassssiiee Jan 25 '21 at 16:12
  • 6
    BOOM your key is now not secure – mikep Mar 11 '21 at 10:49
  • 14
    "root can use your key without a passphrase" add that to the list of all of the "security violations" that root can perform... if someone malicious has access to root you're in much deeper trouble. –  Oct 13 '21 at 16:27
  • @bbaassssiiee But if someone has root, they could also install a keylogger and get you typing your passphrase, so likely root gets your key either way. The scenario more with considering is a stolen machine that doesn't have full disk encryption. The thief would then have access to push to the repo. The extra work of typing a passphrase may or may not be worth the extra security of mitigating that scenario, it all depends on your context. – Azendale Aug 08 '23 at 21:25
50

You might want to add the following to your .bash_profile (or equivalent), which starts ssh-agent on login.

if [ -f ~/.agent.env ] ; then
    . ~/.agent.env > /dev/null
    if ! kill -0 $SSH_AGENT_PID > /dev/null 2>&1; then
        echo "Stale agent file found. Spawning new agent… "
        eval $(ssh-agent | tee ~/.agent.env)
        ssh-add
    fi 
else
    echo "Starting ssh-agent"
    eval $(ssh-agent | tee ~/.agent.env)
    ssh-add
fi

On some Linux distros (Ubuntu, Debian) you can use:

ssh-copy-id -i ~/.ssh/id_dsa.pub username@host

This will copy the generated id to a remote machine and add it to the remote keychain.

You can read more here and here.

bbaassssiiee
  • 6,013
  • 2
  • 42
  • 55
mlambie
  • 7,467
  • 6
  • 34
  • 41
  • 7
    Don't modern distribution start an ssh-agent out of the box? – Troels Arvin Nov 20 '08 at 08:18
  • 1
    **On some Linux distros (Ubuntu, Debian) you can use: ssh-copy-id -i ~/.ssh/id_dsa.pub username@host** Assuming of course you have access that way. And although it's from 2008 it maybe should be edited to refer to id_rsa.pub (yes I could edit it but I don't feel comfortable doing that to others' works - and it esp goes for something like this). – Pryftan Oct 23 '18 at 13:01
  • @TroelsArvin Yes. But otoh there are times where it's killed (though the circumstance I've come across doesn't come to mind - unless maybe X11 has a problem and you have to restart it... that might be one such instance). In that case you do have to 'recreate' it. – Pryftan Oct 23 '18 at 13:03
  • If you load your keys into ssh-agent, then this command distributes them to the other host: `ssh-copy-id user@host` – bbaassssiiee Aug 09 '23 at 07:19
26

To change or remove the passphrase, I often find it simplest to pass in only the p and f flags, then let the system prompt me to supply the passphrases:

ssh-keygen -p -f <name-of-private-key>

For instance:

ssh-keygen -p -f id_rsa

Enter an empty password if you want to remove the passphrase.

A sample run to remove or change a password looks something like this:

ssh-keygen -p -f id_rsa
Enter old passphrase: 
Key has comment 'bcuser@pl1909'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

When adding a passphrase to a key that has no passphrase, the run looks something like this:

ssh-keygen -p -f id_rsa
Key has comment 'charlie@elf-path'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
ccalvert
  • 3,816
  • 1
  • 23
  • 22
12

On the Mac you can store the passphrase for your private ssh key in your Keychain, which makes the use of it transparent. If you're logged in, it is available, when you are logged out your root user cannot use it. Removing the passphrase is a bad idea because anyone with the file can use it.

ssh-keygen -K

Add this to ~/.ssh/config

UseKeychain yes
bbaassssiiee
  • 6,013
  • 2
  • 42
  • 55
7

On windows, you can use PuttyGen to load the private key file, remove the passphrase and then overwrite the existing private key file.

Ajit Goel
  • 4,180
  • 7
  • 59
  • 107
7

In windows for me it kept saying "id_ed25135: No such file or directory" upon entering above commands. So I went to the folder, copied the path within folder explorer and added "\id_ed25135" at the end.

This is what I ended up typing and worked:
ssh-keygen -p -f C:\Users\john\.ssh\id_ed25135

This worked. Because for some reason, in Cmder the default path was something like this C:\Users\capit/.ssh/id_ed25135 (some were backslashes: "\" and some were forward slashes: "/")

Kreshel
  • 11
  • 2
  • 5
4

For Windows;

  1. open a cmd screen write this and push enter.

    ssh-keygen -p

  2. cmd will ask you the old passphrase. Write your old passphrase and enter. You can't see the old passphrase when you write it.

  3. cmd will ask you the new passphrase and its confirmation. You can let it blank.

Congratulations!!!

avariant
  • 2,234
  • 5
  • 25
  • 33
Mehmet Emin
  • 1
  • 1
0

If you have set a passphrase before and is using mac, use the keychain instead, you'll need to enter your passpharase for the last time and that's it

ssh-add --apple-use-keychain ~/.ssh/id_rsa
Enter passphrase for /Users/{{user_name}}/.ssh/id_rsa:
Identity added: /Users/{{user_name}}/.ssh/id_rsa(/Users/{{user_name}}/.ssh/id_rsa)
Rayendra Sabandar
  • 41
  • 4
0

For me on Mac below steps solved the problem.

1> open a terminal go to users directory and enter the below command.

ssh-keygen -p

2> It will ask you

Enter file in which the key is (/Users/your user name/.ssh/id_rsa): give the file path which is shown in the round brackets.

3> Then it will ask you to enter the old passphrase. Write your old passphrase and enter. When you enter the passphrase terminal will not show anything.

4> The it will ask you to enter the new passphrase

Enter new passphrase (empty for no passphrase) If you don't want to keep any passphrase then just press enter.

5> Then again it will ask you to confirm the same passphrase

Enter same passphrase again Then again press enter.

6> Then you will get success message

Your identification has been saved with the new passphrase.

starball
  • 20,030
  • 7
  • 43
  • 238
Abhishek B
  • 157
  • 8
-1

If you are using Mac

  • Go to .ssh folder
  • update config file by adding "UseKeychain yes"
user21264699
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 05 '23 at 04:40