Generating Keys Without a Passphrase with OpenSSH, PuTTY, and OpenSSL

Last updated: March 18, 2024

Reviewed by: Michal Aibin

1. Introduction

Passwords are meant to increase security. However, security and convenience are usually inversely proportional. Because of this, we might not always want to use passwords when there are other means of protection, like partition encryption, directory encryption, or even file encryption. In fact, these can be useful when storing keys for the SSH protocol.

In this tutorial, we’ll look at ways to generate an SSH private key without a passphrase. First, we explore the interactive and automatic options of two major SSH toolkits. After that, we turn to a versatile security suite to generate a passwordless key.

For brevity and security reasons, we only consider the newest iteration of SSH version 2 (SSHv2) as implemented by OpenSSH and PuTTY. While we only use RSA as the example encryption algorithm, the concepts are valid for most other options.

We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4, OpenSSH 8.4p1, PuTTY 0.77, and OpenSSL 1.1.1n. It should work in most POSIX-compliant environments.

2. Using OpenSSH to Generate Keys Without a Password

When generating keys with the ssh-keygen tool from the OpenSSH suite, we can either do it interactively or automatically.

2.1. Interactive ssh-keygen

After running ssh-keygen directly, the utility presents us with three prompts:

$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baeldung/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/baeldung/.ssh/id_rsa
Your public key has been saved in /home/baeldung/.ssh/id_rsa.pub
The key fingerprint is:
[...]

Here, we configure our key with a path at the first prompt and a passphrase and confirmation at the following two prompts. By default, the key is encrypted with 3072-bit RSA and hashed via SHA-256.

Actually, we can press Return at all three prompts to use defaults: the .ssh directory in $HOME and an empty password meaning no password protection. Further, we can do the same with no interaction.

2.2. Automatic ssh-keygen

As long as we supply at least the two mandatory parameters to ssh-keygen, we can generate a key with a single command without any further user input:

$ ssh-keygen -f OUTKEYFILE -N 'PASSWORD'
Generating public/private rsa key pair.
Your identification has been saved in OUTKEYFILE
Your public key has been saved in OUTKEYFILE.pub
The key fingerprint is:
[...]
$

Here, we added two options:

  • -f with the output key path and name
  • -N with the (new) key password

The empty string after -N tells ssh-keygen that we don’t want the key to be password-protected. Importantly, using an empty -N argument in production environments is discouraged.

3. Using PuTTY to Generate Keys Without a Password

If we rely on the puttygen tool from the PuTTY suite to generate our keys, we still have interactive and automatic options.

However, in this case, the type of key and output file paths are mandatory.

3.1. Interactive puttygen

Naturally, running puttygen with the minimum number of arguments again requests the passphrase via prompts:

$ puttygen -t rsa -o OUTKEYFILE
[...]
Enter passphrase to save key:
Re-enter passphrase to verify:

Here, we only need to enter a password, as the path is on the command line after -o, while the type (RSA) is after -t. Similar to ssh-keygen, puttygen accepts empty inputs at the prompts and takes them to mean the user doesn’t want to password-protect the key.

Let’s see how we can avoid the prompts altogether.

3.2. Automatic puttygen

By supplying the key type, output path, and passphrase in the command, we can avoid interactive prompts and setup password protection with puttygen:

$ puttygen -t rsa -o OUTKEYFILE --new-passphrase PASSWORDFILE
[...]
$

Notably, this requires some extra steps, as –new-passphrase expects a file and uses its contents. Of course, we can go that way, but it’s not very secure to save production passwords on non-temporary filesystems.

Still, when we just use an empty string, meaning we don’t want password protection for the key, there are other options:

  • process substitution
  • /dev/null

In the first case, our argument to –new-passphrase can be <(echo ”), while the section option just uses /dev/null directly. Either way, we supply an empty string resulting in no password for our key.

4. Using OpenSSL to Generate Keys Without a Password

Unlike ssh-keygen and puttygen, the openssl tool doesn’t use any interactive prompts by default when generating keys. In fact, openssl doesn’t even provide a prompt or requirement for the key’s password if we don’t specify the respective options.

To demonstrate, let’s use the genrsa subcommand to generate RSA keys:

$ openssl genrsa -out OUTKEYFILE
Generating RSA private key, 2048 bit long modulus (2 primes)
[...]
$

In this case, we also use the optional -out argument to save the key to OUTKEYFILE instead of printing it to stdout. By default, the key doesn’t have a password.

Now, if we do, in fact, want to set a passphrase, OpenSSL has several options for that.

5. Summary

In this article, we generated passwordless SSH keys with three common tools.

In conclusion, while password protection is strongly recommended for private key files, not all settings require it.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.