440

I think I forgot the passphrase for my SSH key, but I have a hunch what it might be. How do I check if I'm right?

jwfearn
  • 28,781
  • 28
  • 95
  • 122
joachim
  • 28,554
  • 13
  • 41
  • 44

6 Answers6

761

ssh-keygen -y

ssh-keygen -y will prompt you for the passphrase (if there is one).

    If you input the correct passphrase, it will show you the associated public key.
    If you input the wrong passphrase, it will display load failed.
    If the key has no passphrase, it will not prompt you for a passphrase and will immediately show you the associated public key.

e.g.,

Create a new public/private key pair, with or without a passphrase:

$ ssh-keygen -f /tmp/my_key
...

Now see if you can access the key pair:

$ ssh-keygen -y -f /tmp/my_key

Following is an extended example, showing output.

Create a new public/private key pair, with or without a passphrase:

$ ssh-keygen -f /tmp/my_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/my_key.
Your public key has been saved in /tmp/my_key.pub.
The key fingerprint is:
de:24:1b:64:06:43:ca:76:ba:81:e5:f2:59:3b:81:fe rob@Robs-MacBook-Pro.local
The key's randomart image is:
+--[ RSA 2048]----+
|     .+          |
|   . . o         |
|    = . +        |
|   = + +         |
|  o = o S .      |
|   + = + *       |
|    = o o .      |
|     . .         |
|      E          |
+-----------------+

Attempt to access the key pair by inputting the correct passphrase. Note that the public key will be shown and the exit status ($?) will be 0 to indicate success:

$ ssh-keygen -y -f /tmp/my_key
Enter passphrase:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBJhVYDYxXOvcQw0iJTPY64anbwSyzI58hht6xCGJ2gzGUJDIsr1NDQsclka6s0J9TNhUEBBzKvh9nTAYibXwwhIqBwJ6UwWIfA3HY13WS161CUpuKv2A/PrfK0wLFBDBlwP6WjwJNfi4NwxA21GUS/Vcm/SuMwaFid9bM2Ap4wZIahx2fxyJhmHugGUFF9qYI4yRJchaVj7TxEmquCXgVf4RVWnOSs9/MTH8YvH+wHP4WmUzsDI+uaF1SpCyQ1DpazzPWAQPgZv9R8ihOrItLXC1W6TPJkt1CLr/YFpz6vapdola8cRw6g/jTYms00Yxf2hn0/o8ORpQ9qBpcAjJN
$ echo $?
0

Attempt to access the key pair by inputting an incorrect passphrase. Note that the "load failed" error message will be displayed (message may differ depending on OS) and the exit status ($?) will be 1 to indicate an error:

$ ssh-keygen -y -f /tmp/my_key
Enter passphrase:
load failed
$ echo $?
1

Attempt to access a key pair that has no passphrase. Note that there is no prompt for the passphrase, the public key will be displayed, and the exit status ($?) will be 0 to indicate success:

$ ssh-keygen -y -f /tmp/my_key_with_no_passphrase
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLinxx9T4HE6Brw2CvFacvFrYcOSoQUmwL4Cld4enpg8vEiN8DB2ygrhFtKVo0qMAiGWyqz9gXweXhdmAIsVXqhOJIQvD8FqddA/SMgqM++2M7GxgH68N+0V+ih7EUqf8Hb2PIeubhkQJQGzB3FjYkvRLZqE/oC1Q5nL4B1L1zDQYPSnQKneaRNG/NGIaoVwsy6gcCZeqKHywsXBOHLF4F5nf/JKqfS6ojStvzajf0eyQcUMDVhdxTN/hIfEN/HdYbOxHtwDoerv+9f6h2OUxZny1vRNivZxTa+9Qzcet4tkZWibgLmqRyFeTcWh+nOJn7K3puFB2kKoJ10q31Tq19
$ echo $?
0

Note that the order of arguments is important. -y must come before -f input_keyfile, else you will get the error Too many arguments..

Rob Bednark
  • 25,981
  • 23
  • 80
  • 125
  • 6
    If there is no password, it will just print out the associated public key. – Kyrremann Oct 27 '16 at 14:55
  • 2
    Thanks @Kyrremann! I have now updated the answer to reflect that. – Rob Bednark Nov 02 '16 at 21:19
  • `ssh-keygen -y` asks for the key file and offers a default when click return as one would expect. – Timo Feb 11 '18 at 13:08
  • 1
    I've used `ssh-keygen -y` to check the passphrase of my ssh key. It worked fine except my Ubuntu become incredible slow. Most of the programs could start up in a minute or more while the CPU usage was 100%. After restarting my laptop I could log in hardly as it took minutes to see my desktop. Finally I've found [this issue on Ask Ubuntu](https://askubuntu.com/questions/788075/ubuntu-16-04-some-applications-take-too-long-to-start-up). I had to start by `gnome-keyring-daemon` to resolve the issue. – Adam Fónagy Aug 15 '18 at 12:32
  • Note that the order of arguments is important `ssh-keygen -f -y /to/my-key` does not work: `Too many arguments.` – BairDev Dec 29 '20 at 10:19
  • WORKED, I used my system password! – Maneesh M Jul 10 '21 at 15:32
145

You can verify your SSH key passphrase by attempting to load it into your SSH agent. With OpenSSH this is done via ssh-add.

Once you're done, remember to unload your SSH passphrase from the terminal by running ssh-add -d.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
  • 1
    ssh-add requires admin rights on the machine, I think. I am getting an error: "Could not open a connection to your authentication agent." – IgorGanapolsky Feb 12 '14 at 21:15
  • @IgorGanapolsky: No, it requires a running authentication agent. Modify your startup scripts or options to bring one up. – Ignacio Vazquez-Abrams Feb 12 '14 at 23:00
  • 30
    [Rob's answer](http://stackoverflow.com/a/23666831/641451) is the correct answer. – mgarciaisaia Aug 16 '16 at 20:46
  • *If* you happen to be using selinux, you might also want to check the context of the home directory and .ssh files! I was lucky enough to be able to use this simple fix: `# restorecon -R -v /home/user` To check if this is the problem (though the preceding command shouldn't cause any issues), you can use `$ ls -lZR ` to examine the context. If you don't see `user_home_t` on the home directory and `ssh_home_t` on the `.ssh` directory and `authorized_keys` file, then use `restorecon` to fix them. – fbicknel Nov 21 '19 at 14:49
  • Robs answer is the correct answer; this command only results in the error message "Could not open a connection to your authentication agent." So unless you have the exact setup that this poster then it is no answer; its just a version of "works on my machine' – Shōgun8 Jul 21 '20 at 20:28
17

The best answer so far, that I found on the web is:

ssh-keygen -y -P "" -f ~/.ssh/id_rsa

That will attempt to read the private key with the passphrase as empty string. That will show a public key perfectly fine if you have a key with no passphrase.

Otherwise the app will exit with an error code and the message:

Load key "~/.ssh/id_rsa": incorrect passphrase supplied to decrypt private key
red
  • 634
  • 1
  • 6
  • 12
7

Extending @RobBednark's solution to a specific Windows + PuTTY scenario, you can do so:

  1. Generate SSH key pair with PuTTYgen (following Manually generating your SSH key in Windows), saving it to a PPK file;

  2. With the context menu in Windows Explorer, choose Edit with PuTTYgen. It will prompt for a password.

If you type the wrong password, it will just prompt again.

Note, if you like to type, use the following command on a folder that contains the PPK file: puttygen private-key.ppk -y.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
kokbira
  • 608
  • 1
  • 10
  • 25
1

Use "ssh-keygen -p". You can add "-f "

It will prompt you for the old password. If the password is correct, it will prompt to enter a new password. If the old password is incorrect, you will get "Failed to load key <...>".

Alex F
  • 89
  • 5
0

If your passphrase is to unlock your SSH key and you don't have ssh-agent, but do have sshd (the SSH daemon) installed on your machine, do:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys;
ssh localhost -i ~/.ssh/id_rsa

Where ~/.ssh/id_rsa.pub is the public key, and ~/.ssh/id_rsa is the private key.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Alexx Roche
  • 3,151
  • 1
  • 33
  • 39