1. Introduction
Optimal security with the Secure Shell (SSH) protocol is achieved through the use of keys. While we can leave the keys without a password, protecting them with one further decreases the ways an attacker might compromise the system. Still, a key passphrase can be an inconvenience.
In this tutorial, we explore ways to remove the password from any SSH key. To that end, we discuss two common SSH suites and some specifics of the process.
For brevity and security reasons, we only consider the newest iteration of SSH version 2 (SSHv2) as implemented by OpenSSH and PuTTY.
We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4, OpenSSH 8.4p1, and PuTTY 0.77. It should work in most POSIX-compliant environments.
2. Using OpenSSH ssh-keygen
Starting with the OpenSSH suite, we can use ssh-keygen to generate keys with a passphrase interactively or automatically:
$ ssh-keygen -f openssh-key -N 'PASSWORD'
Generating public/private rsa key pair.
Your identification has been saved in openssh-key
Your public key has been saved in openssh-key.pub
The key fingerprint is:
SHA256:xT1[...]oOY baeldung@xost
The key's randomart image is:
[...]
In essence, we generate the keys and save them as openssh-key and openssh-key.pub with -f, specifying the password via -N.
Now, let’s confirm our password is required and works when trying to use the private key:
$ ssh-keygen -y -f openssh-key
Enter passphrase:
Load key "openssh-key": incorrect passphrase supplied to decrypt private key
$ ssh-keygen -y -f openssh-key -P 'PASSWORD'
ssh-rsa AAA[...]ZE= baeldung@xost
The -y flag makes ssh-keygen read a private key and output the public key to stdout. Entering an incorrect password terminates the operation. On the other hand, using -P to supply the correct password, we get the desired result.
At this point, we can use -p to request a password change, including -N in combination with -P to supply and change the passphrase at the same time:
$ ssh-keygen -p -P 'PASSWORD' -N '' -f openssh-key
Critically, the ” empty string argument to -N means we remove the password from the key.
3. Using PuTTY puttygen
Next, let’s generate a PuTTY key with the rsa [-t]ype in the putty-key [-o]utput file:
$ puttygen -t rsa -o putty-key --new-passphrase <(echo 'PASSWORD')
+++[...]
++++++++
Similar to the OpenSSH -N flag, we employ the PuTTY –new-passphrase flag any time we want to specify a password for a key. Since –new-passphrase expects a path to a file that contains the password, we use process substitution to directly supply that with echo.
In the same manner as the OpenSSH -p flag from before, we use the equivalent PuTTY -P flag to issue a password change with –old-passphrase supplying a file that contains the current one:
$ puttygen putty-key -P --old-passphrase <(echo 'PASSWORD') --new-passphrase <(echo '')
Now, our putty-key key has no password. Again, we use process substitution to supply the old and new passphrases.
4. Remarks
Notably, we can split and convert the keys between the OpenSSH and PuTTY formats. Knowing this, we can use either way for password removal.
Critically, removing the password from a private SSH key can be detrimental to the level of security we achieve. Because of this, using an SSH key manager like ssh-agent would probably be the better choice.
In addition, both ssh-keygen and puttygen offer interactive ways to change the password by omitting the -N or –new-password or the -P or –old-password flags.
Finally, PuTTY offers a graphical user interface (GUI) for many of its tools. For puttygen, the front-end is called PuTTYgen. Using the latter, we can perform multiple activities, including password setting and removal.
5. Summary
In this article, we saw how to remove the password from SSH keys via two common SSH suites.
In conclusion, although each has its own specifics related to the format, the basic idea and mechanism are the same.