What is the SSH key passphrase used for?
When using ssh-keygen:
What is the passphrase for?
Why is it optional?
What are the security implications of specifying (or not specifying) one?
Below is an excerpt taken from a shell session (some details may have been altered):
user@localhost:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /user/.ssh/id_rsa.
Your public key has been saved in /user/.ssh/id_rsa.pub.
The key fingerprint is:
60:8b:50:1e:0f:bc:5a:2a:13:1e:83:2b:d9:95:38:9e user@localhost
The key's randomart image is:
+---[RSA 2048]----+
| .+ |
| o.+ |
|. ...o+ |
|ooo.=o o |
|.*oB. . S |
|*.E |
|.o |
| |
| |
+-----------------+
Here's the answer I was looking for myself, and could not find until I experimented with both having and not having a passphrase:
When the private key is encrypted, then you have to enter the SSH key passphrase every time you need to use it.
Then I learned about the "ssh-agent" daemon/service that can cache the credentials once per login. When I went through this, I was establishing my Gitlab.com connection.
Here is the script of my trying both.
Microsoft Windows [Version 10.0.19042.985]
(c) Microsoft Corporation. All rights reserved.
C:UsersAdministrator>where ssh-keygen
C:WindowsSystem32OpenSSHssh-keygen.exe
C:UsersAdministrator>ssh-keygen -t rsa -b 2048 -C "XXXXXXXXXXXX"
Generating public/private rsa key pair.
Enter file in which to save the key (C:UsersAdministrator/.ssh/id_rsa):
Created directory 'C:UsersAdministrator/.ssh'.
Enter passphrase (empty for no passphrase): <===== here I did NOT use a passphrase
Enter same passphrase again:
Your identification has been saved in C:UsersAdministrator/.ssh/id_rsa.
Your public key has been saved in C:UsersAdministrator/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:------------------------------------------- XXXXXXXXXXXX
The key's randomart image is:
+---[RSA 2048]----+
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
| xxxxxxxxxxxxx |
+----[SHA256]-----+
C:UsersAdministrator>cat %userprofile%/.ssh/id_rsa.pub | clip
NOTE:
NOTE: at this point I navigated to gitlab in my browser, and pasted the key
NOTE:
C:UsersAdministrator>ssh -T git@gitlab.com
The authenticity of host 'gitlab.com (172.65.251.78)' can't be established.
ECDSA key fingerprint is SHA256:-------------------------------------------.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'gitlab.com,172.65.251.78' (ECDSA) to the list of known hosts.
Welcome to GitLab, @!
C:UsersAdministrator>ssh -T git@gitlab.com
Welcome to GitLab, @!
C:UsersAdministrator>ssh-keygen -p
Enter file in which the key is (C:UsersAdministrator/.ssh/id_rsa):
Key has comment 'XXXXXXXXXXXX'
Enter new passphrase (empty for no passphrase): <===== here I DID use a passphrase
Enter same passphrase again:
Your identification has been saved with the new passphrase.
NOTE:
NOTE: now I'm prompted every time
NOTE:
C:UsersAdministrator>ssh -T git@gitlab.com
Enter passphrase for key 'C:UsersAdministrator/.ssh/id_rsa':
Welcome to GitLab, @!
C:UsersAdministrator>ssh -T git@gitlab.com
Enter passphrase for key 'C:UsersAdministrator/.ssh/id_rsa':
Welcome to GitLab, @!
NOTE:
NOTE: set up the service to run (it is disabled by default)
NOTE:
C:UsersAdministrator>sc config ssh-agent start= auto
[SC] ChangeServiceConfig SUCCESS