putty - Unable to Change Password for Private SSH Key

06
2013-08
  • kgrote

    I'm running PuTTY Pageant on Windows, and I used it to generate a private SSH key with a .ppk extension.

    Now I want to change the password to that key, so I opened my Git bash terminal, cd'd to my .ssh directory, and typed:

    ssh-keygen -f private.ppk -p

    It then asks me to enter my old passphrase, but after entering it, it says "Bad passphrase." I'm absolutely certain I'm entering the passphrase correctly.

    Does Pageant do some weird encryption with the SSH keys it generates so I can't update the password? The password works fine when unlocking the key within Pageant, and the key itself works fine, too.

    • Answers
  • larsks

    Putty does not store keys in an OpenSSH-compatible format. You need to use the "puttygen" tool to manipulate your private key.

    (via this document, via Google):

    To change or set a passphrase on an SSH key under PuTTY, do the following:

    1. Run the puttygen.exe program.
    2. Click on the "Load" button.
    3. Select the private key file that you want to put a passphrase on.
    4. Enter the new desired passphrase in the "Key passphrase" and "Confirm Passphrase" fields.
    5. Click on the "Save private key" button. Overwrite the existing copy of your key.

    • Related Question

    linux - SSH key asking me for a passphrase?
  • llaskin

    I have a public/private key pair. Neither of them have any sort of passphrase associated with them.

    Whenever I try to ssh using either the private or public(and I'm pretty sure I should only be using the public key), I get queried for a passphrase, and then of course can't connect up.

    Anyone have any idea how to get around this? Am I typing some command incorretly? I am trying to ssh into a server that I have setup in my ~/.ssh/config file(correctly, since this exact same setup works on another server) with the key stored in ~/.ec2/key.ppk

    I've also tried using puttygen.exe to generate a new private key WITH a passphrase, and then using that key, and when I type the passphrase, it still fails.


    • Related Answers
  • mrverrall

    First off it's the private key that will have the pass-phrase. This validates against the public key stored on the remote server.

    Best guess is that your are trying to use a putty private key (ppk) key format with openssh this doesn't work.... PuTTYgen has an export option for openssh if this is the case.

    ssh-rsa AAAAB3NzaC1y...... etc

    I also assume that the server you are trying to ssh to has your public key stored correctly in the authorized key file (in ~/.ssh/authorized_keys generally).

    Another guess would be that the correct key isn't be selected. Some things I would try are:

    Resetting the keys pass-phrase using ssh-keygen, like this...

    $ ssh-keygen -f ~/.ec2/key.ppk -p

    This will confirm if in fact your key does (or does not) have a pass-phrase on it already.

    Secondly I'd try connecting using a verbose output, specifying your public key explicitly output:

    $ ssh host -i ~/.ec2/key.ppk -vvv

    This will give you more of an idea of what is going on.

  • JohnMcG

    When you set up your public key, you probably (perhaps inadvertently) set it up with a passphrase.

    You probably need to start fresh -- I haven't used puttygen, but you can delete (or rename) the public key in your .ssh directory, use ssh-keygen to generate a new one (being sure not to provide a passphrase), and then share the public_key out to the authorized_keys file on the server you're trying to connect to.

    You may need to also remove your old passphrase-key from the authorized-keys file on the server you're connecting to.

  • TD1

    One thing to check, if your sshd_config file has StrictModes=yes , then the $HOME directory or $HOME/.ssh directory must not be world writable to group or other. Otherwise authentication fails no matter what.

  • dfrankow

    You could run ssh-agent. See here for a discussion.

    The short version that worked for me (in bash):

    $ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-rnRLi11880/agent.11880; export SSH_AUTH_SOCK;
SSH_AGENT_PID=11881; export SSH_AGENT_PID;
echo Agent pid 11881;

    I took the 3 lines it echoes out, and executed them. Another way to do that is take the output of -s:

    $ eval `ssh-agent -s`

    Then I added my credentials to it:

    $ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/me/.ssh/id_rsa: 
Identity added: /home/me/.ssh/id_rsa (/home/me/.ssh/id_rsa)

    Now the agent supplies the credentials instead of me having to type in my passphrase.

    I believe ssh-agent goes away when the shell does, so this should be scripted upon startup for maximum convenience. The link I shared describes scripting as well.