SSH key passphrases

This guide will step you through the process of securing your ssh keys while avoiding re-entry of your passphrase every time you use the key.

Why do I need a passphrase?

Passwords aren’t very secure, you already know this. If you use one that’s easy to remember, it’s easier to guess or brute-force. If you use one that’s random it’s hard to remember, and thus you’re more inclined to write the password down. Both of these are Very Bad Things™. This is why you’re using ssh keys.

But using a key without a passphrase is basically the same as writing down that random password in a file on your computer. Anyone who gains access to your drive has gained access to every system you use that key with. This is also a Very Bad Thing™. The solution is obvious, add a passphrase.

But I don’t want to enter a long passphrase every time I use the key!

Neither do I! Thankfully, there’s a nifty little tool called ssh-agent that can save your passphrase securely so you don’t have to re-enter it. If you’re on OSX Leopard or later your keys can be saved in the system’s keychain to make your life even easier. Most linux installations will automatically start ssh-agent for you when you log in.

Adding or changing a passphrase

Passphrases can be added to an existing key or changed without regenerating the keypair very easily:

$ ssh-keygen -p
Enter file in which the key is (/Users/tekkub/.ssh/id_rsa):
Key has comment '/Users/tekkub/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

If your key already has a passphrase, you will be prompted to enter it before you can change to a new passphrase.

Auto-launching ssh-agent on msysgit

You can run ssh-agent automatically when you open bash by adding the following to your ~/.profile or ~/.bashrc file:

SSH_ENV="$HOME/.ssh/environment"

# start the ssh-agent
function start_agent {
    echo "Initializing new SSH agent..."
    # spawn ssh-agent
    ssh-agent | sed 's/^echo/#echo/' > "$SSH_ENV"
    echo succeeded
    chmod 600 "$SSH_ENV"
    . "$SSH_ENV" > /dev/null
    ssh-add
}

# test for identities
function test_identities {
    # test whether standard identities have been added to the agent already
    ssh-add -l | grep "The agent has no identities" > /dev/null
    if [ $? -eq 0 ]; then
        ssh-add
        # $SSH_AUTH_SOCK broken so we start a new proper agent
        if [ $? -eq 2 ];then
            start_agent
        fi
    fi
}

# check for running ssh-agent with proper $SSH_AGENT_PID
if [ -n "$SSH_AGENT_PID" ]; then
    ps -ef | grep "$SSH_AGENT_PID" | grep ssh-agent > /dev/null
    if [ $? -eq 0 ]; then
	test_identities
    fi
# if $SSH_AGENT_PID is not properly set, we might be able to load one from
# $SSH_ENV
else
    if [ -f "$SSH_ENV" ]; then
	. "$SSH_ENV" > /dev/null
    fi
    ps -ef | grep "$SSH_AGENT_PID" | grep -v grep | grep ssh-agent > /dev/null
    if [ $? -eq 0 ]; then
        test_identities
    else
        start_agent
    fi
fi

Note: If you don’t use the default key names, or store your keys in a different path, you will need to add the path to the /usr/bin/ssh-add line so that ssh knows where to find your key.

Now when you first run git bash, you will be prompted for your passphrase:

Initializing new SSH agent...
succeeded
Enter passphrase for /c/Users/Tekkub/.ssh/id_rsa:
Identity added: /c/Users/Tekkub/.ssh/id_rsa (/c/Users/Tekkub/.ssh/id_rsa)
Welcome to Git (version 1.6.0.2-preview20080923)


Run 'git help git' to display the help index.
Run 'git help <command>' to display help for specific commands.
[Tekkub@KAKU: ~ master]$

The process will continue to run until you log out, shutdown or kill ssh-agent. To kill the process, find its PID with ps then call kill <PID>:

[Tekkub@KAKU: ~ master]$ ps
        PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
       3796       1    3796       3796    ?  500 18:07:43 /bin/ssh-agent
       2780       1    2780       2780  con  500 18:10:50 /bin/bash
       3400    2780    3400        784  con  500 18:13:31 /bin/ps
[Tekkub@KAKU: ~ master]$ kill 3796

This section was written with help from this post.

Mac OSX Keychain

If you are on OSX Leopard or later, ssh-agent is run automatically for you. It will also integrate with the keychain, so you can unlock your keys with it. This has some major advantages over a command-line based setup like protecting your input from being copied or spied upon by universal access or low-level keyboard routines.

The default key files (.ssh/id_rsa, .ssh/id_dsa and .ssh/identity) should be handled automatically. If you have a key with a different name, you can add it with ssh-add path/to/my_key

Make sure that you’re using the default OS X ssh-add command and not one installed by macports or some other external source.

When you first try to use the key you will be prompted to enter your passphrase:

Keychain prompt

If you choose to save the passphrase with your keychain, you won’t have to enter it again. Instead you’ll simply need to unlock your keychain.

This section was written with help from this guide. If you would like to use more paranoid keychain settings like locking after sleep, check out this guide.