How to make auto trust gpg public key? - encryption

I am trying to add my GPG public key as a part of our appliance installation process. The purpose of it to encrypt any important files like logs before admin pulling them into his local using admin portal and then decrypt them using private key.
The plan is to export public key into a file and make appliance installation process to import it using gpg --import command. But I realized, the key is needed to be trusted/signed before do any encryption.
How to make this key is trusted without any human intervention at the time of installation?
Btw, our appliance os is ubuntu vm and we use kickstart to automate.
Advance thanks for all help.

Your question is really "How do I encrypt to a key without gpg balking at the fact that the key is untrusted?"
One answer is you could sign the key.
gpg --edit-key YOUR_RECIPIENT
sign
yes
save
The other is you could tell gpg to go ahead and trust.
gpg --encrypt --recipient YOUR_RECIPIENT --trust-model always YOUR_FILE

Coincidentally I have a similar situation to the OP - I'm trying to use public/private keys to sign and encrypt firmware for different embedded devices. Since no answer yet shows how to add trust to a key you already have imported, here is my answer.
After creating and testing the keys on a test machine, I exported them as ascii:
$ gpg --export -a <hex_key_id> > public_key.asc
$ gpg --export-secret-keys -a <hex_key_id> > private_key.asc
Then secure-copied and imported them to the build server:
$ gpg --import public_key.asc
$ gpg --import private_key.asc
Important: add trust
Now edit the key to add ultimate trust:
$ gpg --edit-key <user#here.com>
At the gpg> prompt, type trust, then type 5 for ultimate trust, then y to confirm, then quit.
Now test it with a test file:
$ gpg --sign --encrypt --yes --batch --status-fd 1 --recipient "recipient" --output testfile.gpg testfile.txt
which reports
...
[GNUPG:] END_ENCRYPTION
without adding trust, I get various errors (not limited to the following):
gpg: There is no assurance this key belongs to the named user
gpg: testfile.bin: sign+encrypt failed: Unusable public key

There's an easier way to tell GPG to trust all of its keys by using the --trust-model option:
gpg -a --encrypt -r <recipient key name> --trust-model always
From the man page:
--trust-model pgp|classic|direct|always|auto
Set what trust model GnuPG should follow. The models are:
always Skip key validation and assume that used
keys are always fully trusted. You generally
won't use this unless you are using some
external validation scheme. This option also
suppresses the "[uncertain]" tag printed
with signature checks when there is no evidence
that the user ID is bound to the key. Note that
this trust model still does not allow the use
of expired, revoked, or disabled keys.

Add trusted-key 0x0123456789ABCDEF to your ~/.gnupg/gpg.conf replacing the keyid. This is equivalent to ultimately trusting this key which means that certifications done by it will be accepted as valid. Just marking this key as valid without trusting it is harder and either requires a signature or switching the trust-model to direct. If you are sure to only import valid keys you can simply mark all keys as valid by adding trust-model always. In the latter case ensure that you disable automatic key retrieval (not enabled by default).

This worked for me:
Trying to encrypt a file responds with this:
gpg -e --yes -r <uid> <filename>
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
That causes my shell script to fail.
So I:
$gpg --edit-key <uid>
gpg> trust
Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
Now the encrypt works properly.

Based on #tersmitten's article and a bit of trial and error, I ended up with the following command line to trust all keys in a given keyring without user interaction. I use it for keys used with both StackEschange Blackbox and hiera-eyaml-gpg:
# The "-E" makes this work with both GNU sed and OS X sed
gpg --list-keys --fingerprint --with-colons |
sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |
gpg --import-ownertrust
Personally, I prefer a solution which stores the results in the trustdb file itself rather than depends on user environment outside the shared Git repo.

Here's a trick I've figured out for automation of GnuPG key management, hint heredoc + --command-fd 0 is like magic. Below is an abridged version of one of the scripts that's been written to aid in automation with GnuPG.
#!/usr/bin/env bash
## First argument should be a file path or key id
Var_gnupg_import_key="${1}"
## Second argument should be an integer
Var_gnupg_import_key_trust="${2:-1}"
## Point to preferred default key server
Var_gnupg_key_server="${3:-hkp://keys.gnupg.net}"
Func_import_gnupg_key_edit_trust(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
gpg --no-tty --command-fd 0 --edit-key ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
}
Func_import_gnupg_key(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
if [ -f "${_gnupg_import_key}" ]; then
echo "# ${0##*/} reports: importing key file [${_gnupg_import_key}]"
gpg --no-tty --command-fd 0 --import ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
else
_grep_string='not found on keyserver'
gpg --dry-run --batch --search-keys ${_gnupg_import_key} --keyserver ${Var_gnupg_key_server} | grep -qE "${_grep_string}"
_exit_status=$?
if [ "${_exit_status}" != "0" ]; then
_key_fingerprint="$(gpg --no-tty --batch --dry-run --search-keys ${_gnupg_import_key} | awk '/key /{print $5}' | tail -n1)"
_key_fingerprint="${_key_fingerprint//,/}"
if [ "${#_key_fingerprint}" != "0" ]; then
echo "# ${0##*/} reports: importing key [${_key_fingerprint}] from keyserver [${Var_gnupg_key_server}]"
gpg --keyserver ${Var_gnupg_key_server} --recv-keys ${_key_fingerprint}
Func_import_gnupg_key_edit_trust "${_gnupg_import_key}"
else
echo "# ${0##*/} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
else
echo "# ${0##*/} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
fi
}
if [ "${#Var_gnupg_import_key}" != "0" ]; then
Func_import_gnupg_key "${Var_gnupg_import_key}"
else
echo "# ${0##*/} needs a key to import."
exit 1
fi
Run with script_name.sh 'path/to/key' '1' or script_name.sh 'key-id' '1' to import a key and assign a trust value of 1 or edit all values with script_name.sh 'path/to/key' '1' 'hkp://preferred.key.server'
Encryption should now be without complaint but even if it does the following --always-trust option should allow encryption even with complaint.
gpg --no-tty --batch --always-trust -e some_file -r some_recipient -o some_file.gpg
If you wish to see this in action, then check the Travis-CI build logs and how the helper script GnuPG_Gen_Key.sh is used for both generating and importing keys in the same operation... version two of this helper script will be much cleaner and modifiable but it's a good starting point.

This oneliner updates the trustdb with the ownertrust values from STDIN -- by extracting the fingerprint to the format required by --import-ownertrust flag.
This flag, as detailed on gpg man page, should be used In case of a severely damaged trustdb and/or if you have a recent backup of the ownertrust values, you may re-create the trustdb.
gpg --list-keys --fingerprint \
| grep ^pub -A 1 \
| tail -1 \
| tr -d ' ' \
| awk 'BEGIN { FS = "\n" } ; { print $1":6:" }' \
| gpg --import-ownertrust

One way to trust imported gpg keys:
gpg --import <user-id.keyfile>
fpr=`gpg --with-colons --fingerprint <user-id> |awk -F: '$1 == "fpr" {print$10; exit}'`
gpg --export-ownertrust && echo $fpr:6: |gpg --import-ownertrust
here, I assume that you import a key with the <user-id> from <user-id.keyfile>. The second line only extracts fingerprint, you can drop it if you know the fingerprint beforehand.

I think, I figured way to do this.
I used 'gpg --import-ownertrust' to export my trust db into a text file then removed all of my keys from it except public key I needed to push. And then imported my public key and edited owner-trust file on to server. This seems like working.
Now I am having trouble implementing these steps in Kickstart file:-(

With powershell, here is how to trust john.doe#foo.bar (adapted from #tersmitten blog post):
(gpg --fingerprint john.doe#foo.bar | out-string) -match 'fingerprint = (.+)'
$fingerprint = $Matches[1] -replace '\s'
"${fingerprint}:6:" | gpg --import-ownertrust
Note: using cinst gpg4win-vanilla

There is a way to autotrust key using --edit-key, but without getting into interactive shell (so can be automated in script). Below is a sample for windows:
(echo trust &echo 5 &echo y &echo quit) | gpg --command-fd 0 --edit-key your#email.com

Unix based:
echo -e "5\ny\n" | gpg --homedir . --command-fd 0 --expert --edit-key user#exaple.com trust;
For more info read this post. It details if you are creating more than one key.

I used following script for import key:
#!/bin/bash
function usage() {
cat >&2 <<EOF
Usage: $0 path_of_private_key
Example: gpg_import.sh ~/.ssh/my_gpg_private.key
Import gpg key with trust.
EOF
exit 1
}
[[ $# -lt 1 ]] && usage
KEY_PATH=$1
KEY_ID=$(gpg --list-packets ${KEY_PATH}/${GPG_PRIVATE_KEY} | awk '/keyid:/{ print $2 }' | head -1)
gpg --import ${KEY_PATH}/${GPG_PRIVATE_KEY}
(echo trust &echo 5 &echo y &echo quit) | gpg --command-fd 0 --edit-key $KEY_ID

I am using windows with gpgwin4.0.2 installed.
Open the Kleopatra (the GUI) -> Certificates -> Right Click -> Certify. Once the has been certify, this message will not show any.

Try this :
(echo trust &echo 5 &echo y &echo quit &echo save) | gpg --homedir 'gpgDirectory/' --batch --command-fd 0 --edit-key 'youKey'
--homedir : not required

Related

GPG decrypting/encrypting string in memory only

Background:
I have a GPG encrypted secret that must not be written to file unencrypted.
Let say that it lives at ~/.secrets/.mysecret.gpg.
Running gpg ~/.secrets/.mysecret.gpg unencrypts the .mysecret.gpg and saves it to file at .mysecret (unacceptable). Running gpg -d ~/.secrets/.mysecret.gpg prints the decrypted secret only (thank you JustinC).
To avoid the stderr and to encode it in base64 for my use purpose, I wrote this shell function as a convenience method:
keyreader() {
local gpg_file=$1
echo -n "$(gpg -d "$gpg_file" 2> /dev/null)" | base64
}
Running keyreader ~/.secrets/.mysecret.gpg, after entering the password for the encrypted secret, it prints out the base64 encoded, decrypted secret, no output file.
Questions:
When gpg -d ~/.secrets/.mysecret.gpg is run, does gpg write a tmp file that would include the unencrypted .mysecret?
Why does gpg not output a file, .mysecret, when I use the above syntax? (ANSWER: the -d flag was used, again thank you JustinC).
Assuming I use the appropriate $HISTIGNORE identifier before running the command, how can I encrypt a string from the command line to a .gpg AES256 encrypted file without having first written it unencrypted to file?
For Q3, something like:
$ echo "secret info" | gpg --cipher-algo AES265 -c -o secrets_file.txt.gpg
instead of:
$gpg --cipher-algo AES265 -c secrets_file.txt
Again, #JustinC, thank you for your answer.
For completeness, here is my solution for encrypting/decrypting a string in memory only:
encryption:
# notice the space before echo here
# it is the default $HISTIGNORE flag which can be set in the ~/.bashrc
# it keeps this line from being written to the ~/.bash_history file
echo -n 'your secrets here' | gpg -c > ~/.secrets/.mysecret.gpg
# Enter passphrase:
decryption:
# 2> /dev/null: skip printing strerr
gpg -d ~/.secrets/.mysecrets.gpg 2> /dev/null
NB: If you get the error "inappropriate ioctl for device", you may be running on WSL and this may help you:
# https://d.sb/2016/11/gpg-inappropriate-ioctl-for-device-errors
echo -e "use-agent\npinentry-mode loopback" >> ~/.gnupg/gpg.conf
echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
echo RELOADAGENT | gpg-connect-agent
Are you sure gpg -d ~/.secrets/.mysecret.gpg writes decrypted file to disk? It does not for me.
You can use strace to check if any temporal file is created.
I sometimes prevent leaving password in bash history by typing:
PP=`cat`
secret-info ENTER Ctrl+D
echo $PP # will print "secret-info"
The secret-info string is sent to cat program, not to shell, so bash will not save it to history file.

Decrypt .gpg/.pgp file without a prompt

I've decrypted a file successfully using:
gpg --encrypt --recipient user#company.com myfile.txt
If I run the command below, I'm prompted for a passphrase, and decryption works:
gpg --output decrypted_myfile.txt -decrypt myfile.txt.gpg
I can't seem to get any form of non-interactive decryption working. The closest I've come is:
gpg --decrypt --batch --passphrase MYPASSPHRASE myfile.txt.gpg
This gives me:
gpg: encrypted with 2048-bit RSA key, ID F6CF3C25, created 2016-03-17
"Company_20210316 (Incoming Files) <user#company.com>"
gpg: public key decryption failed: Bad passphrase
gpg: decryption failed: No secret key
Is there a different way to do it?
Having error like:
gpg: decryption failed: No secret key
simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if:
gpg --list-secret-keys if it has a private key there and if not,
Import it and then trust it.
To trust, use:
gpg --key-edit <yourKey> then "trust" then "5" then "quit"
To get your keyID run:
gpg --edit-key <yourKey> then
On the first line you'll see: "Private key available"
Then two sub-keys on the left of the fist, you'll see similar to:
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your
E7E43C5C844E2917
So to explicitly export from where it was generated, the key to a file, you need to use that like this:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
This will create a secret key in a file ONLY, unlike if you use keyname in the export call. Then it will contain more than that.
Then to import use:
gpg --import yourSecretKey.asc
Then check your key in the list updated. Add a trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt and
-o the same as --output
And the value of the passphrase is the actual value I used in my test to decrypt the above and not the variable. The same created during the time key generated, and actual recommendation is to use a longer set of characters but actually any number is accepted.
Having error like: gpg: decryption failed: No secret key simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if gpg -k (same as gpg --list-keys) has a private key there and import it and then trust it,
To add trust, use "1 to 5":
gpg --key-edit <yourKey>
then trust then 5 then `quit
To get your keyID run:
gpg --edit-key <yourKey>
then first line you'll see: Private key available
then two sub-keys on the left of the fist you'll see
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your <keyID> E7E43C5C844E2917
so, to explicitly export from where it was generated, the key to a file you need to use that like:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
this will create secret key in a file ONLY, unlike if you use keyname in the export call then it will contain more than that.
Then to import use:
gpg --import E7E43C5C844E2917
then check your key in the list updated. Add trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt just like -o is the same as --output
You can try this command:
gpg --output File.txt --batch--passphrase-fd YourPassword --decrypt file.pgp

Tar and encrypt with OpenSSL and dump the result directly to an ssh server

I had a question where I asked about dumping a tar'ed folder to an SSH target. This is useful when backing up servers that have no enough disk space. The solution I got and it works, is this:
tar czv <stuff to backup> | ssh user#server.com 'cat > /home/user/backupfolder/backup.tar.gz'
But the problem now is that I usually pipe tar to openssl to encrypt my packages with
tar zcpf / | openssl des3 -salt | dd of=backup.des3
My question: Now I wanna do the same, but with dumping the resulting archive directly into the SSH target, as given in that answered question but with OpenSSL encryption.
I tried the following:
tar zcpf / | openssl des3 -salt | ssh user#backupserver.com 'cat > /some/dir/backup.tar.gz'
This causes a race between the password asked by OpenSSL and the password asked by ssh, which results in a problem making OpenSSL refuse the input password when repeating it.
Note: Using a public key for logging in without a password isn't considered a useful solution for my case. (EDIT: Also passing the password to OpenSSL is not a solution).
Is there a way to do this without problems? I see the solution as to have OpenSSL ask me about the password, and then ssh ask me about the password, with no racing between them.
Thanks in advance. If you require any additional details, please ask.
You can pass the password with pass argument to encryption.
This should prevent seeking of encryption password later in time and then clash with the password prompt for SSH.
tar zcpf / | openssl des3 -salt -pass pass:1234 | ssh user#backupserver.com 'cat > /some/dir/backup.tar.gz'
EDIT:
This answer does not suit the OP's requirement. The edit made later mentions that passing password as argument is not acceptable.
So I finally managed to create my own bash script that will do the job and fix the problem. Remember that the script has to be run as root if you want to backup the root folder. You can make it fancier by adding root checker at the beginning of the script.
#!/bin/bash
dirToBackup=/
targetDir=/path/to/encrypted/backup/file.des3
sshuser=user
sshserver=myserver.com
read -s -p "Enter Encryption Password: " mypassword1
printf "\n"
read -s -p "Repeat Encryption Password: " mypassword2
printf "\n"
#make sure the passwords match
if [ "$mypassword1" != "$mypassword2" ]
then
echo "Passwords don't match! Exiting."
exit
else
#if they match, make sure they're not empty
if [ -z "$mypassword1" ]
then
echo "Password cannot be empty... Exiting."
else
tar zcp $dirToBackup | openssl des3 -salt -pass pass:$mypassword1 | ssh ${sshuser}#${sshserver} "dd of=${targetDir}"
fi
fi

How to Export Private / Secret ASC Key to Decrypt GPG Files

Background: My boss has tried exporting an ASC key to me with public and private parts but whenever I get the file the private part never loads up and it won't decrypt any files.
We have tried Exporting the ASC Key using:
Windows Application Kleopatra 2.1 (included in gpg4win)
Windows Application GNU Privacy Assistant (included in gpg4win)
Error: "Decryption failed. Secret Key Not available."
How do you properly export a secret or private asc key to decrypt gpg files?
You can export the private key with the command-line tool from GPG. It works on the Windows-shell. Use the following command:
gpg --export-secret-keys
A normal export with --export will not include any private keys, therefore you have to use --export-secret-keys.
Edit:
To sum up the information given in my comments, this is the command that allows you to export a specific key with the ID 1234ABCD to the file secret.asc:
gpg --export-secret-keys --armor 1234ABCD > secret.asc
You can find the ID that you need using the following command. The ID is the second part of the second column:
gpg --list-keys
To Export just 1 specific secret key instead of all of them:
gpg --export-secret-keys keyIDNumber > exportedKeyFilename.asc
keyIDNumber is the number of the key id for the desired key you are trying to export.
All the above replies are correct, but might be missing one crucial step, you need to edit the imported key and "ultimately trust" that key
gpg --edit-key (keyIDNumber)
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
and select 5 to enable that imported private key as one of your keys
See the treatment by Dark Otter
https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/
If the site is down use reference the archive.org backup:
https://web.archive.org/web/20170518155052/https://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/
which includes a reasonably secure way to transfer keys. You could put that recommendation into shell-scripts shown below for repeated use.
First get the KEYID you want from the list shown by
$ gpg -K
From the resulting list note the KEYID (the 8 hexadecimals following sec) you need for transfer.
Then envoke the tested shell scipts "export_private_key" on the first account and generate your pubkey.gpg + keys.asc. Subsequently invoke on the second account "import_private_key". Here is their content shown with cat (copy & paste content):
$ cat export_private_key
gpg -K
echo "select private key"
read KEYID
gpg --output pubkey.gpg --export $KEYID
echo REMEMBER THE COMING PASS-PHRASE
gpg --output - --export-secret-key $KEYID | \
cat pubkey.gpg - | \
gpg --armor --output keys.asc --symmetric --cipher-algo AES256
ls -l pubkey.gpg keys.asc
#################### E X P O R T _ P R I V A T E _ K E Y #####################
Now tranfer by some means the "pubkey.gpg" (if needed) and the private "keys.asc" to the second account and envoke the below-shown program.
$ cat import_private_key
gpg --no-use-agent --output - keys.asc | gpg --import
################### I M P O R T _ P R I V A T E _ K E Y ######################
In Otter's spirit "And that, should be, that".
I think you had not yet import the private key as the message error said, To import public/private key from gnupg:
gpg --import mypub_key
gpg --allow-secret-key-import --import myprv_key
this ended up working for me:
gpg -a --export-secret-keys > exportedKeyFilename.asc
you can name keyfilename.asc by any name as long as you keep on the .asc extension.
this command copies all secret-keys on a user's computer to keyfilename.asc in the working directory of where the command was called.
To Export just 1 specific secret key instead of all of them:
gpg -a --export-secret-keys keyIDNumber > exportedKeyFilename.asc
keyIDNumber is the number of the key id for the desired key you are trying to export.
Similar to #Wolfram J's answer, here is a method to encrypt your private key with a passphrase:
gpg --output - --armor --export $KEYID | \
gpg --output private_key.asc --armor --symmetric --cipher-algo AES256
And a corresponding method to decrypt:
gpg private_key.asc
1.Export a Secret Key (this is what your boss should have done for you)
gpg --export-secret-keys yourKeyName > privateKey.asc
2.Import Secret Key (import your privateKey)
gpg --import privateKey.asc
3.Not done yet, you still need to ultimately trust a key.
You will need to make sure that you also ultimately trust a key.
gpg --edit-key yourKeyName
Enter trust, 5, y, and then quit
Source: https://medium.com/#GalarnykMichael/public-key-asymmetric-cryptography-using-gpg-5a8d914c9bca

How do I remove the passphrase for the SSH key without having to create a new key?

I set a passphrase when creating a new SSH key on my laptop. But, as I realise now, this is quite painful when you are trying to commit (Git and SVN) to a remote location over SSH many times in an hour.
One way I can think of is, delete my SSH keys and create new. Is there a way to remove the passphrase, while still keeping the same keys?
Short answer:
$ ssh-keygen -p
This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).
If you would like to do it all on one line without prompts do:
$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.
Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.
You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.
$ ssh-keygen -p worked for me
Opened git bash. Pasted : $ ssh-keygen -p
Hit enter for default location.
Enter old passphrase
Enter new passphrase - BLANK
Confirm new passphrase - BLANK
BOOM the pain of entering passphrase for git push was gone.
Thanks!
You might want to add the following to your .bash_profile (or equivalent), which starts ssh-agent on login.
if [ -f ~/.agent.env ] ; then
. ~/.agent.env > /dev/null
if ! kill -0 $SSH_AGENT_PID > /dev/null 2>&1; then
echo "Stale agent file found. Spawning new agent… "
eval `ssh-agent | tee ~/.agent.env`
ssh-add
fi
else
echo "Starting ssh-agent"
eval `ssh-agent | tee ~/.agent.env`
ssh-add
fi
On some Linux distros (Ubuntu, Debian) you can use:
ssh-copy-id -i ~/.ssh/id_dsa.pub username#host
This will copy the generated id to a remote machine and add it to the remote keychain.
You can read more here and here.
To change or remove the passphrase, I often find it simplest to pass in only the p and f flags, then let the system prompt me to supply the passphrases:
ssh-keygen -p -f <name-of-private-key>
For instance:
ssh-keygen -p -f id_rsa
Enter an empty password if you want to remove the passphrase.
A sample run to remove or change a password looks something like this:
ssh-keygen -p -f id_rsa
Enter old passphrase:
Key has comment 'bcuser#pl1909'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
When adding a passphrase to a key that has no passphrase, the run looks something like this:
ssh-keygen -p -f id_rsa
Key has comment 'charlie#elf-path'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
On the Mac you can store the passphrase for your private ssh key in your Keychain, which makes the use of it transparent. If you're logged in, it is available, when you are logged out your root user cannot use it. Removing the passphrase is a bad idea because anyone with the file can use it.
ssh-keygen -K
Add this to ~/.ssh/config
UseKeychain yes
On windows, you can use PuttyGen to load the private key file, remove the passphrase and then overwrite the existing private key file.
In windows for me it kept saying
"id_ed25135: No such file or directory" upon entering above commands. So I went to the folder, copied the path within folder explorer and added "\id_ed25135" at the end.
This is what I ended up typing and worked:
ssh-keygen -p -f C:\Users\john\.ssh\id_ed25135
This worked. Because for some reason, in Cmder the default path was something like this C:\Users\capit/.ssh/id_ed25135 (some were backslashes: "\" and some were forward slashes: "/")
If you have set a passphrase before and is using mac, use the keychain instead, you'll need to enter your passpharase for the last time and that's it
ssh-add --apple-use-keychain ~/.ssh/id_rsa
Enter passphrase for /Users/{{user_name}}/.ssh/id_rsa:
Identity added: /Users/{{user_name}}/.ssh/id_rsa(/Users/{{user_name}}/.ssh/id_rsa)
If you are using Mac
Go to .ssh folder
update config file by adding "UseKeychain yes"

Resources