Passwords are meant to increase security. However, security and convenience are usually inversely proportional. Because of this, we might not always want to use passwords when there are other means of protection, like partition encryption, directory encryption, or even file encryption. In fact, these can be useful when storing keys for the SSH protocol.
In this tutorial, we’ll look at ways to generate an SSH private key without a passphrase. First, we explore the interactive and automatic options of two major SSH toolkits. After that, we turn to a versatile security suite to generate a passwordless key.
For brevity and security reasons, we only consider the newest iteration of SSH version 2 (SSHv2) as implemented by OpenSSH and PuTTY. While we only use RSA as the example encryption algorithm, the concepts are valid for most other options.
We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4, OpenSSH 8.4p1, PuTTY 0.77, and OpenSSL 1.1.1n. It should work in most POSIX-compliant environments.
2. Using OpenSSH to Generate Keys Without a Password
2.1. Interactive ssh-keygen
After running ssh-keygen directly, the utility presents us with three prompts:
$ ssh-keygen ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/baeldung/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/baeldung/.ssh/id_rsa Your public key has been saved in /home/baeldung/.ssh/id_rsa.pub The key fingerprint is: [...]
Actually, we can press Return at all three prompts to use defaults: the .ssh directory in $HOME and an empty password meaning no password protection. Further, we can do the same with no interaction.
2.2. Automatic ssh-keygen
As long as we supply at least the two mandatory parameters to ssh-keygen, we can generate a key with a single command without any further user input:
$ ssh-keygen -f OUTKEYFILE -N 'PASSWORD' Generating public/private rsa key pair. Your identification has been saved in OUTKEYFILE Your public key has been saved in OUTKEYFILE.pub The key fingerprint is: [...] $
Here, we added two options:
- -f with the output key path and name
- -N with the (new) key password
The empty string after -N tells ssh-keygen that we don’t want the key to be password-protected. Importantly, using an empty -N argument in production environments is discouraged.
3. Using PuTTY to Generate Keys Without a Password
However, in this case, the type of key and output file paths are mandatory.
3.1. Interactive puttygen
Naturally, running puttygen with the minimum number of arguments again requests the passphrase via prompts:
$ puttygen -t rsa -o OUTKEYFILE [...] Enter passphrase to save key: Re-enter passphrase to verify:
Here, we only need to enter a password, as the path is on the command line after -o, while the type (RSA) is after -t. Similar to ssh-keygen, puttygen accepts empty inputs at the prompts and takes them to mean the user doesn’t want to password-protect the key.
Let’s see how we can avoid the prompts altogether.
3.2. Automatic puttygen
By supplying the key type, output path, and passphrase in the command, we can avoid interactive prompts and setup password protection with puttygen:
$ puttygen -t rsa -o OUTKEYFILE --new-passphrase PASSWORDFILE [...] $
Notably, this requires some extra steps, as –new-passphrase expects a file and uses its contents. Of course, we can go that way, but it’s not very secure to save production passwords on non-temporary filesystems.
Still, when we just use an empty string, meaning we don’t want password protection for the key, there are other options:
In the first case, our argument to –new-passphrase can be <(echo ”), while the section option just uses /dev/null directly. Either way, we supply an empty string resulting in no password for our key.
4. Using OpenSSL to Generate Keys Without a Password
Unlike ssh-keygen and puttygen, the openssl tool doesn’t use any interactive prompts by default when generating keys. In fact, openssl doesn’t even provide a prompt or requirement for the key’s password if we don’t specify the respective options.
To demonstrate, let’s use the genrsa subcommand to generate RSA keys:
$ openssl genrsa -out OUTKEYFILE Generating RSA private key, 2048 bit long modulus (2 primes) [...] $
In this case, we also use the optional -out argument to save the key to OUTKEYFILE instead of printing it to stdout. By default, the key doesn’t have a password.
Now, if we do, in fact, want to set a passphrase, OpenSSL has several options for that.
In this article, we generated passwordless SSH keys with three common tools.
In conclusion, while password protection is strongly recommended for private key files, not all settings require it.