/ DevOps Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Manage SSH Key File With a Passphrase

DZone's Guide to

Manage SSH Key File With a Passphrase

We take a look at how to protect your SSH keys by passphrase without inducing a lot of headaches. Read on to find out how.

by
Denny Zhang
·
Oct. 13, 16 · DevOps Zone
Free Resource

Comment (1)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Download the blueprint that can take a company of any maturity level all the way up to enterprise-scale continuous delivery using a combination of Automic Release Automation, Automic’s 20+ years of business automation experience, and the proven tools and practices the company is already leveraging.

Any serious DevOps will only SSH by the key file, not with a password. Right? And mostly, our powerful key file can unlock many critical ENVs. Have you ever uploaded your private key to other ENVs, like Jumpbox? What if your key is magically stolen by hackers somehow?

Time to protect your sensitive SSH key with a passphrase, and live with it, headache-free.

Here's a cheat sheet for impatient users, though I recommend reading this post through, even for experienced users.
Name Summary
Load key file ssh-add ~/.ssh/id_rsa
Remove all loaded keys ssh-add -D
Whether it’s encrypted grep “ENCRYPTED” id_rsa
Add/Change passphrase ssh-keygen -p -f id_dsa
Remove passphrase ssh-keygen -p -P $passwd -N “” -f id_rsa
Load key without prompt Check link: here

Add Passphrase to Existing SSH Key

We can easily use ssh-keygen to add a passphrase. This certainly gives us extra security benefit. What’s the impact of this change?

  • You never use your private key other than your computer, right? If yes, there's nothing you need to worry about. One tiny difference: you might be asked to input the passphrase once. Check all loaded keys by ssh-add -l.
  • In some cases, we might use key files to do a passwordless login with remote servers. For example, the SSH tunnel for port forwarding, the SSH from Jumpbox to other machines, etc. Then, we have to make sure that the key file is correctly loaded and recognized. Run ssh-add ./id_rsa, then input passphrase manually. This also can be done automatically, which I will explain it shortly.
# Change file mode to allow overwrite
chmod 700 id_rsa

# Add passphrase to key file
ssh-keygen -p -f id_rsa

# Denny-mac:.ssh mac$ ssh-keygen -p -f id_rsa
# Key has comment 'id_rsa'
# Enter new passphrase (empty for no passp...
# Enter same passphrase again: 
# Your identification has been saved with ...

Load Protected SSH Key Without Prompt

It's a pity that ssh-add itself doesn’t have native support for this. Here is a workaround (a bit tricky, I admit).

# Specify your passphrase here
export YOUR_PASSPHRASE="XXX"

# Load protected key without prompt
echo "echo $YOUR_PASSPHRASE" > /tmp/mypass
chmod 700 /tmp/mypass
cat id_rsa| SSH_ASKPASS=/tmp/mypass ssh-add -

# Verify loaded certificate
ssh-add -l

Change Passphrase for Existing Private Key

Run the below command. You will be asked to input the old passphrase and a new one. If the key is not encrypted, just press enter in the terminal.

ssh-keygen -p -f ~/.ssh/id_dsa

Remove Passphrase

Use openssl to remove the passphrase. You will need to manually input the old passphrase.

openssl rsa -in id_rsa -out id_rsa_new

The same can be done by ssh-keygen. The amazing part is that there is no required human intervention; it's totally automated.

ssh-keygen -p -P "$OLDPASS" -N "" -f id_rsa

More Reading: Reverse SSH Tunnel: Export Your Mac Laptop to the Internet

References

UNIX Stack Exchange

ThinkPlexx

StackOverflow 

Download the ‘Practical Blueprint to Continuous Delivery’ to learn how Automic Release Automation can help you begin or continue your company’s digital transformation.

Like This Article? Read More From DZone

What I Learned After Using an SSH Honeypot for 7 Days
Avoid Using Same SSH Private Key For All Your Servers
Deploy Your Static or Dynamic Websites Using Git in Public Cloud

Free DZone Refcard

Declarative Pipeline With Jenkins
DOWNLOAD
Topics:
ssh ,devops ,security ,envs

Comment (1)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Denny Zhang, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

DevOps Partner Resources

QA Strategies for Great Software Whatever Your Growth Stage
Continue your digital transformation with a Blueprint for Continuous Delivery.
Accelerate DevOps Early, Everywhere at Scale
Starting and Scaling DevOps in the Enterprise
The CTO’s Ultimate Guide to Continuous Testing
DevOps and Continuous Delivery Reference Architectures
Jenkins, Docker and DevOps: The Innovation Catalysts
Uncover your DevOps maturity level in four key areas.
The Ultimate Monitoring Tools Landscape
Redefine application release processes and unify your DevOps strategy.
3 Use Cases of How Our DevOps Teams Automate Development
Optimizing Internal Communications with DevOps

DevOps Partner Resources

QA Strategies for Great Software Whatever Your Growth Stage
Continue your digital transformation with a Blueprint for Continuous Delivery.
Accelerate DevOps Early, Everywhere at Scale
Starting and Scaling DevOps in the Enterprise
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone