Secure Shell (SSH) keys are a popular means for authenticating users on Linux systems securely. SSH keys are often protected with a passphrase to add an extra layer of security. At times, you may want to change the passphrase for various reasons, such as improving security or replacing a forgotten one. This tutorial will guide you through several ways to change the passphrase of an SSH key on an Ubuntu system, beginning from basic methods to more advanced scenarios.

Prerequisites

Before proceeding, ensure you have:

An existing SSH key whose passphrase you wish to change.

Access to a terminal on your Ubuntu system.
OpenSSH installed (this usually comes by default with Ubuntu).

Simple passphrase change

To simply change the password of an SSH key, you can use the ssh-keygen command with the -p flag:

ssh-keygen -p

When you run this command, you will be asked for the file of the key whose passphrase you wish to change. By default, it will assume the key is stored at ~/.ssh/id_rsa.

Enter file in which the key is (/home/your_username/.ssh/id_rsa):
Enter old passphrase: 
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again:

After you have entered the required information, the passphrase will be updated without altering the ssh key pair itself.

Changing passphrase with direct file specification

If you’re dealing with multiple keys or your key is not stored in the default location, it’s helpful to specify the file directly:

ssh-keygen -p -f /path/to/your/ssh/key

Replace /path/to/your/ssh/key with the actual path to your SSH key file. You will then need to enter the old and new passphrase upon prompt.

Scripted passphrase updates

When automating the process, you can use an expect script to non-interactively change the passphrase. Warning: doing this may expose your new passphrase if someone else can see your scripting process or where it’s stored.

Installing expect

First, install expect using apt:

sudo apt-get update
sudo apt-get install expect

Creating an expect script

Below is a sample expect script to change an SSH key’s passphrase:

#!/usr/bin/expect
spawn ssh-keygen -p -f /path/to/your/ssh/key
expect "Enter old passphrase:"
send "oldpassphrase\r"
expect "Enter new passphrase (empty for no passphrase):"
send "newpassphrase\r"
expect "Enter same passphrase again:"
send "newpassphrase\r"
expect eof

Save this script as change_passphrase.exp and make it executable:

chmod +x change_passphrase.exp

Run the script:

./change_passphrase.exp

Remeber to replace /path/to/your/ssh/key with your SSH key path, and oldpassphrase and newpassphrase with your old and new passphrases respectively.

Advanced usage of ssh-keygen

The ssh-keygen utility is very powerful and includes more advanced features you may find useful. For example:

Generating more complex keys with specific key types.

Producing keys with specific bit lengths for enhanced security.
Generating and outputting the key fingerprint.

To learn more about these advanced features and others, consult the man page for ssh-keygen:

man ssh-keygen

Troubleshooting

If you repeatedly receive errors when attempting to change your SSH key’s passphrase, consider the following:

Ensure the path to your SSH key file is correct.
Verify that you are using the correct old passphrase. If forgotten, it cannot be retrieved.

Check the permissions of your ~/.ssh directory (must be 700) and your key files (should be 600).

If none of these steps resolve your issue, further investigation into your system configuration and the state of the SSH key may be necessary.

Conclusion

Changing the passphrase of an SSH key is an essential skill for maintaining security and proper management of credentials on your Ubuntu system. By following this guide, you can confidently update your passphrases and automate the process where necessary.

Next Article: Managing users and groups in Ubuntu: The ultimate guide

Previous Article: How to change OpenSSH config in Ubuntu

Series: Linux Tutorials

DevOps