Ssh – Changing the ssh passphrase on a private key has no effect

sshssh-keygen

I had a not protected by passphrase ssh key which I use to connect with a server. Now I want to add a passphrase to the key, so I've done:

ssh-keygen -p

and added a new passphrase:

Enter file in which the key is (/home/user/.ssh/id_rsa): 
Enter old passphrase: 
Key has comment '/home/user/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

Then, I try to connect again to the server:

ssh user@server.com -v

but I'm still logged without entering the passphrase:

debug1: Authentications that can continue: publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/user/.ssh/id_rsa

debug1: Server accepts key: pkalg ssh-rsa blen 279

debug1: Authentication succeeded (publickey).

Authenticated to server.com ([xxx.xx.xxx.xx]:22).

Why I'm not asked for the passphrase?

Edit:

Seahorse was storing the keys for me, so this was the issue.

Best Answer

ssh-agent is storing encrypted key in memory so change to the physical key on disk does not affect its functionality.

If you want make sure the change is effective, remove the key from agent and add it once more as noted in comments (ssh-add -D to remove and ssh-add to add the key again from default location).

Related Solutions

Ssh – How to remove strict RSA key checking in SSH and what’s the problem here

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Ssh – How to change the private key passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

Best Answer

Related Solutions

Ssh – How to remove strict RSA key checking in SSH and what’s the problem here

Ssh – How to change the private key passphrase

Related Topic