400

I have an existing public/private key pair. The private key is password protected, and the encryption may be either RSA or DSA. These keys are the kind you generate with ssh-keygen and generally store under ~/.ssh.

I'd like to change the private key's password. How do I go about it, on a standard Unix shell?

Also, how do I simply remove the password? Just change it to empty?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
kch
  • 4,472
  • 3
  • 19
  • 17

3 Answers3

531

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]
dannyman
  • 358
  • 4
  • 15
Mike Mazur
  • 5,943
  • 2
  • 19
  • 13
  • 1
    This is from the man page shipping with net-misc/openssh-5.2_p1-r2 on Gentoo Linux. – Mike Mazur Aug 06 '09 at 06:04
  • Or, more precisely, for a default location DSA key, ssh-keygen -pf ~/.ssh/id_dsa – kch Aug 06 '09 at 06:11
  • I like providing the key file as arg, can you update your answer to reflect my whimsical penchants so I can accept it without reservations? #pedanticwho – kch Aug 06 '09 at 06:14
  • 18
    Also, for the sake of future lazy person, I'd reverse the order: quick answser first, man page later. – kch Aug 06 '09 at 06:15
  • 2
    I think the answer is great since it both shows where you can change the password, and where to look for the answer. I've helped a lot of people setting up ssh keys, and for them actually remembering which tool they have used isn't always easy. Besides, searching for the answer on the 'net is the first option for many... – sastorsl May 04 '15 at 06:26
  • 6
    If your machines use OpenSSH >= 6.5, [you should be using the `-o` option](http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf) to enable the new private key format (bcrypt as KDF by default). With older OpenSSH versions, [use PKCS#8 for more secure private key files](http://blog.patshead.com/2013/09/generating-new-more-secure-ssh-keys.html). – Quinn Comendant Aug 05 '15 at 18:14
  • There is a typo, correction: `$ ssh-keygen -p -f ~/.ssh/id_rsa` – Francisco Luz Aug 27 '15 at 04:04
  • 2
    @FranciscoLuz the command in my answer is specific to a DSA key. If you have an RSA key, then your command is correct. I added a blurb to the answer to address this. – Mike Mazur Aug 27 '15 at 15:02
  • @mike-mazur Huuumm. I wasn't aware of DSA keys. Thanks. – Francisco Luz Aug 28 '15 at 17:29
  • Why am I getting Failed to load key /home/marcus/.ssh/id_rsa: incorrect passphrase supplied to decrypt private key when I enter the correct pass phrase?? – embe Feb 17 '18 at 12:21
  • If you just have a single key and don't tend to customise the key's location, you can simply use: `ssh-keygen -p`. A default path will be suggested, just like when generating a key. – Alex Palmer Aug 24 '18 at 08:23
  • Perfect ! it's work for me, but i adapt the good name of my key and that's all. Thank you – Irwuin Oct 22 '20 at 12:44
2

If you don't have ssh-keygen installed, you can also use openssl directly

key="/path/to/your.key"
algo="-des3" # or -aes256 or ...

openssl rsa $algo -in "$key" -out "$key.new"

# and replace old key with new one
mv "$key.new" "$key"
mivk
  • 3,457
  • 1
  • 34
  • 29
-14

Remove your SSH public/private keys:

rm ~/.ssh/id_rsa*

Recreate the keypair, choosing a new passphrase:

ssh-keygen -t rsa -f ~/.ssh/id_rsa

Add the newly created private key to your OS X Keychain to store the passphrase and manage unlocking it automatically:

ssh-add -K ~/.ssh/id_rsa

Copy the public key to the OS X clipboard for adding to web services like GitHub, etc.

cat ~/.ssh/id_rsa.pub | pbcopy

Add your newly created public key to the ~/.ssh/authorized_keys file of the remote server. Be sure to ensure the correct permissions of both the remote ~/.ssh folder (700) and ~/.ssh/authorized_keys (600). You may want to investigate using ssh-copy-id to ease this process.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
gauta
  • 7
  • 11
    The poster asked how to change passphrase on their key, not throw it away and generate a new one; and they never mentioned OS X. – musicinmybrain Aug 13 '18 at 12:17
  • 7
    I would have upvoted this answer if it wasn't for these three issues: **1.** Deleting the old keys isn't a good start since you'll need those when updating `authorized_keys`. **2.** You haven't mentioned why creating new keys is better than changing passwords on the old. **3.** You make assumptions about OS, which is not supported by the question. – kasperd Oct 18 '18 at 19:53