Ssh – Is it okay to use a SSH key with an empty passphrase

Securityssh

When I first learned how to make ssh keys, the tutorials I read all stated that a good passphrase should be chosen. But recently, when setting up a daemon process that needs to ssh to another machine, I discovered that the only way (it seems) to have a key that I don't need to auth at every boot is to create a key with an empty passphrase. So my question is, what are the concerns with using a key with no passphrase?

Best Answer

A key with no passphrase is reliant upon nobody else being able to get at that key (who wouldn’t be able to get at the resources it gives access to anyway). So, if the key grants access to a machine next to it, and both machines have the same level of electronic and physical security, then it’s not really any big deal.

On the other hand, if your key is on a machine with poor security (perhaps it has many untrusted users, is easily physically accessible, or isn’t kept well up-to-date with its patching regime), then you probably don’t want to keep passphrase-less keys on there.

Ultimately, it’s down to confidence in your setup and weighing up the risks/costs of doing it — if you can be pretty confident that it’s not realistically easier for an attacker to gain access to the key than to the resource the key gives you access to, then you’re fine. If you don’t have that confidence, you should probably fix the reasons why :)

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

SSH Passphrase Remembered in MacOSX Snow Leopard – How to Manage

OS X will automatically launch ssh-agent for you when it needs your private key. Your key will then be available through ssh-agent (without entering your passphrase again) until you log out of OS X or remove the key (via ssh-add -d or ssh-add -D to remove all keys).

This is similar to standard *NIX system behavior with ssh-agent, and allows useful functionality like agent authentication forwarding (ssh -A) to work so you don't have to put your private key all over the network.

If you want to disable ssh-agent (for all users of your Mac) you may remove the file /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Another way is to unload & disable the LaunchAgent:

sudo launchctl -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

The -w causes it to not just unload but mark & remember it as disabled.

Best Answer

Related Solutions

SSH – How to Change Private Key Passphrase

SSH Passphrase Remembered in MacOSX Snow Leopard – How to Manage

Related Topic