How to replace the ssh private-public key pair?
Clash Royale CLAN TAG#URR8PPP up vote
1
down vote
favorite
If I feel my original ssh was compromised, because someone has the passphrase,
do I need to replace the private and public key-pair, or only change the passphrase? Which one is the solution, and how do I do it?
thanks
ssh
asked Jun 1 at 19:57
pileup
63
add a comment |Â
up vote
1
down vote
favorite
If I feel my original ssh was compromised, because someone has the passphrase,
do I need to replace the private and public key-pair, or only change the passphrase? Which one is the solution, and how do I do it?
thanks
ssh
asked Jun 1 at 19:57
pileup
63
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
If I feel my original ssh was compromised, because someone has the passphrase,
do I need to replace the private and public key-pair, or only change the passphrase? Which one is the solution, and how do I do it?
thanks
ssh
asked Jun 1 at 19:57
pileup
63
If I feel my original ssh was compromised, because someone has the passphrase,
do I need to replace the private and public key-pair, or only change the passphrase? Which one is the solution, and how do I do it?
thanks
ssh
asked Jun 1 at 19:57
pileup
63
asked Jun 1 at 19:57
pileup
63
asked Jun 1 at 19:57
pileup
63
asked Jun 1 at 19:57
pileup
63
63
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
If you know that someone has the passphrase he probably used your ssh key. If that is the case there is probably no way for you to know whether that person copied your ssh key or not. If that person has a copy of your key and you change the passphrase on your key, the copy obviously still uses the old passphrase and is therefore usable by that person. So, to be on the safe side, I would recommend to replace your ssh key.
You can generate a new key by running
ssh-keygen -f ~/.ssh/new-key
This will create a new ssh key in ~/.ssh/new-key.
Don't forget to not just create a new key but to remove your old key from all machines that have it.
Update: To do that, first make a list of all machines you can access with that ssh key. Then, for each of these machines, do the following:
user@local:~$ ssh someuser@somemachine
someuser@somemachine:~$ nano .ssh/authorized_keys
Edit that file and do the following:
- remove the line containing your old ssh key. If there is only one line that is easy, if not look for a line that end with the same cryptic letters as your old public key. You can see your old public key by executing
cat ~/.ssh/id_rsa.pubon your local machine (assuming your old key is id_rsa, if not you have to adjust the comand). To delete a line innano, simply press Ctrl+K. - add your new public key to that file. You find the new public key on your local machine using
cat ~/.ssh/new-key.pub. Copy the whole line verbatim to the file as a single line. - Save the file by pressing Ctrl+O, Enter and Ctrl+X to exit
nano.
Then test if you can access the machine with your new key without closing the existing connection (so you are still connected in case something goes wrong).
user@local:~$ ssh -i ~/.ssh/new-key someuser@somemachine
If this works and you are connected to the remote machine, you have successfully replaced your ssh key on that machine. Now continue with the next machine. Repeat until done.
You may be able to automate this whole process a bit:
ssh-copy-id -i ~/.ssh/new-key.pub someuser@somemachine
ssh -i ~/.ssh/new-key someuser@somemachine "sed -i.bak 's/$(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g')/d' ~/.ssh/authorized_keys"
But I take no guarantee that this will work and not lock you out of some machines. Use at your own risk!
What it does is use ssh-copy-id to copy over your new key and using sed to remove your old key from authorized_keys file. $(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g') adds your old public key to the command so it is able to search for it and takes care to escape slashes. /some-string/d removes all lines matching string (in our case your old key) from the file.
Do this only if you have a lot of machines to change your key on and test it first on a machine you have physical access to or some other way to restore access if things go wrong. End of Update
After you replaced your old key you may rename your key to ~/.ssh/id_rsa so ssh finds it automatically. You might want to keep a backup of your old key in case you forgot a system to which you would otherwise not have access any more.
Update: to do so, simply run:
cd ~/.ssh
mv id_rsa id_rsa_old
mv id_rsa.pub id_rsa_old.pub
mv new-key id_rsa
mv new-key.pub id_rsa.pub
If you need to use your old key for something again, you can use ssh -i ~/.ssh/id_rsa_old to use it. Don't forget to add your new key to that machine and remove the old key.
answered Jun 1 at 20:18
Lienhart Woitok
808211
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
If you know that someone has the passphrase he probably used your ssh key. If that is the case there is probably no way for you to know whether that person copied your ssh key or not. If that person has a copy of your key and you change the passphrase on your key, the copy obviously still uses the old passphrase and is therefore usable by that person. So, to be on the safe side, I would recommend to replace your ssh key.
You can generate a new key by running
ssh-keygen -f ~/.ssh/new-key
This will create a new ssh key in ~/.ssh/new-key.
Don't forget to not just create a new key but to remove your old key from all machines that have it.
Update: To do that, first make a list of all machines you can access with that ssh key. Then, for each of these machines, do the following:
user@local:~$ ssh someuser@somemachine
someuser@somemachine:~$ nano .ssh/authorized_keys
Edit that file and do the following:
- remove the line containing your old ssh key. If there is only one line that is easy, if not look for a line that end with the same cryptic letters as your old public key. You can see your old public key by executing
cat ~/.ssh/id_rsa.pubon your local machine (assuming your old key is id_rsa, if not you have to adjust the comand). To delete a line innano, simply press Ctrl+K. - add your new public key to that file. You find the new public key on your local machine using
cat ~/.ssh/new-key.pub. Copy the whole line verbatim to the file as a single line. - Save the file by pressing Ctrl+O, Enter and Ctrl+X to exit
nano.
Then test if you can access the machine with your new key without closing the existing connection (so you are still connected in case something goes wrong).
user@local:~$ ssh -i ~/.ssh/new-key someuser@somemachine
If this works and you are connected to the remote machine, you have successfully replaced your ssh key on that machine. Now continue with the next machine. Repeat until done.
You may be able to automate this whole process a bit:
ssh-copy-id -i ~/.ssh/new-key.pub someuser@somemachine
ssh -i ~/.ssh/new-key someuser@somemachine "sed -i.bak 's/$(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g')/d' ~/.ssh/authorized_keys"
But I take no guarantee that this will work and not lock you out of some machines. Use at your own risk!
What it does is use ssh-copy-id to copy over your new key and using sed to remove your old key from authorized_keys file. $(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g') adds your old public key to the command so it is able to search for it and takes care to escape slashes. /some-string/d removes all lines matching string (in our case your old key) from the file.
Do this only if you have a lot of machines to change your key on and test it first on a machine you have physical access to or some other way to restore access if things go wrong. End of Update
After you replaced your old key you may rename your key to ~/.ssh/id_rsa so ssh finds it automatically. You might want to keep a backup of your old key in case you forgot a system to which you would otherwise not have access any more.
Update: to do so, simply run:
cd ~/.ssh
mv id_rsa id_rsa_old
mv id_rsa.pub id_rsa_old.pub
mv new-key id_rsa
mv new-key.pub id_rsa.pub
If you need to use your old key for something again, you can use ssh -i ~/.ssh/id_rsa_old to use it. Don't forget to add your new key to that machine and remove the old key.
answered Jun 1 at 20:18
Lienhart Woitok
808211
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
add a comment |Â
up vote
1
down vote
If you know that someone has the passphrase he probably used your ssh key. If that is the case there is probably no way for you to know whether that person copied your ssh key or not. If that person has a copy of your key and you change the passphrase on your key, the copy obviously still uses the old passphrase and is therefore usable by that person. So, to be on the safe side, I would recommend to replace your ssh key.
You can generate a new key by running
ssh-keygen -f ~/.ssh/new-key
This will create a new ssh key in ~/.ssh/new-key.
Don't forget to not just create a new key but to remove your old key from all machines that have it.
Update: To do that, first make a list of all machines you can access with that ssh key. Then, for each of these machines, do the following:
user@local:~$ ssh someuser@somemachine
someuser@somemachine:~$ nano .ssh/authorized_keys
Edit that file and do the following:
- remove the line containing your old ssh key. If there is only one line that is easy, if not look for a line that end with the same cryptic letters as your old public key. You can see your old public key by executing
cat ~/.ssh/id_rsa.pubon your local machine (assuming your old key is id_rsa, if not you have to adjust the comand). To delete a line innano, simply press Ctrl+K. - add your new public key to that file. You find the new public key on your local machine using
cat ~/.ssh/new-key.pub. Copy the whole line verbatim to the file as a single line. - Save the file by pressing Ctrl+O, Enter and Ctrl+X to exit
nano.
Then test if you can access the machine with your new key without closing the existing connection (so you are still connected in case something goes wrong).
user@local:~$ ssh -i ~/.ssh/new-key someuser@somemachine
If this works and you are connected to the remote machine, you have successfully replaced your ssh key on that machine. Now continue with the next machine. Repeat until done.
You may be able to automate this whole process a bit:
ssh-copy-id -i ~/.ssh/new-key.pub someuser@somemachine
ssh -i ~/.ssh/new-key someuser@somemachine "sed -i.bak 's/$(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g')/d' ~/.ssh/authorized_keys"
But I take no guarantee that this will work and not lock you out of some machines. Use at your own risk!
What it does is use ssh-copy-id to copy over your new key and using sed to remove your old key from authorized_keys file. $(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g') adds your old public key to the command so it is able to search for it and takes care to escape slashes. /some-string/d removes all lines matching string (in our case your old key) from the file.
Do this only if you have a lot of machines to change your key on and test it first on a machine you have physical access to or some other way to restore access if things go wrong. End of Update
After you replaced your old key you may rename your key to ~/.ssh/id_rsa so ssh finds it automatically. You might want to keep a backup of your old key in case you forgot a system to which you would otherwise not have access any more.
Update: to do so, simply run:
cd ~/.ssh
mv id_rsa id_rsa_old
mv id_rsa.pub id_rsa_old.pub
mv new-key id_rsa
mv new-key.pub id_rsa.pub
If you need to use your old key for something again, you can use ssh -i ~/.ssh/id_rsa_old to use it. Don't forget to add your new key to that machine and remove the old key.
answered Jun 1 at 20:18
Lienhart Woitok
808211
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
add a comment |Â
up vote
1
down vote
up vote
1
down vote
If you know that someone has the passphrase he probably used your ssh key. If that is the case there is probably no way for you to know whether that person copied your ssh key or not. If that person has a copy of your key and you change the passphrase on your key, the copy obviously still uses the old passphrase and is therefore usable by that person. So, to be on the safe side, I would recommend to replace your ssh key.
You can generate a new key by running
ssh-keygen -f ~/.ssh/new-key
This will create a new ssh key in ~/.ssh/new-key.
Don't forget to not just create a new key but to remove your old key from all machines that have it.
Update: To do that, first make a list of all machines you can access with that ssh key. Then, for each of these machines, do the following:
user@local:~$ ssh someuser@somemachine
someuser@somemachine:~$ nano .ssh/authorized_keys
Edit that file and do the following:
- remove the line containing your old ssh key. If there is only one line that is easy, if not look for a line that end with the same cryptic letters as your old public key. You can see your old public key by executing
cat ~/.ssh/id_rsa.pubon your local machine (assuming your old key is id_rsa, if not you have to adjust the comand). To delete a line innano, simply press Ctrl+K. - add your new public key to that file. You find the new public key on your local machine using
cat ~/.ssh/new-key.pub. Copy the whole line verbatim to the file as a single line. - Save the file by pressing Ctrl+O, Enter and Ctrl+X to exit
nano.
Then test if you can access the machine with your new key without closing the existing connection (so you are still connected in case something goes wrong).
user@local:~$ ssh -i ~/.ssh/new-key someuser@somemachine
If this works and you are connected to the remote machine, you have successfully replaced your ssh key on that machine. Now continue with the next machine. Repeat until done.
You may be able to automate this whole process a bit:
ssh-copy-id -i ~/.ssh/new-key.pub someuser@somemachine
ssh -i ~/.ssh/new-key someuser@somemachine "sed -i.bak 's/$(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g')/d' ~/.ssh/authorized_keys"
But I take no guarantee that this will work and not lock you out of some machines. Use at your own risk!
What it does is use ssh-copy-id to copy over your new key and using sed to remove your old key from authorized_keys file. $(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g') adds your old public key to the command so it is able to search for it and takes care to escape slashes. /some-string/d removes all lines matching string (in our case your old key) from the file.
Do this only if you have a lot of machines to change your key on and test it first on a machine you have physical access to or some other way to restore access if things go wrong. End of Update
After you replaced your old key you may rename your key to ~/.ssh/id_rsa so ssh finds it automatically. You might want to keep a backup of your old key in case you forgot a system to which you would otherwise not have access any more.
Update: to do so, simply run:
cd ~/.ssh
mv id_rsa id_rsa_old
mv id_rsa.pub id_rsa_old.pub
mv new-key id_rsa
mv new-key.pub id_rsa.pub
If you need to use your old key for something again, you can use ssh -i ~/.ssh/id_rsa_old to use it. Don't forget to add your new key to that machine and remove the old key.
answered Jun 1 at 20:18
Lienhart Woitok
808211
If you know that someone has the passphrase he probably used your ssh key. If that is the case there is probably no way for you to know whether that person copied your ssh key or not. If that person has a copy of your key and you change the passphrase on your key, the copy obviously still uses the old passphrase and is therefore usable by that person. So, to be on the safe side, I would recommend to replace your ssh key.
You can generate a new key by running
ssh-keygen -f ~/.ssh/new-key
This will create a new ssh key in ~/.ssh/new-key.
Don't forget to not just create a new key but to remove your old key from all machines that have it.
Update: To do that, first make a list of all machines you can access with that ssh key. Then, for each of these machines, do the following:
user@local:~$ ssh someuser@somemachine
someuser@somemachine:~$ nano .ssh/authorized_keys
Edit that file and do the following:
- remove the line containing your old ssh key. If there is only one line that is easy, if not look for a line that end with the same cryptic letters as your old public key. You can see your old public key by executing
cat ~/.ssh/id_rsa.pubon your local machine (assuming your old key is id_rsa, if not you have to adjust the comand). To delete a line innano, simply press Ctrl+K. - add your new public key to that file. You find the new public key on your local machine using
cat ~/.ssh/new-key.pub. Copy the whole line verbatim to the file as a single line. - Save the file by pressing Ctrl+O, Enter and Ctrl+X to exit
nano.
Then test if you can access the machine with your new key without closing the existing connection (so you are still connected in case something goes wrong).
user@local:~$ ssh -i ~/.ssh/new-key someuser@somemachine
If this works and you are connected to the remote machine, you have successfully replaced your ssh key on that machine. Now continue with the next machine. Repeat until done.
You may be able to automate this whole process a bit:
ssh-copy-id -i ~/.ssh/new-key.pub someuser@somemachine
ssh -i ~/.ssh/new-key someuser@somemachine "sed -i.bak 's/$(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g')/d' ~/.ssh/authorized_keys"
But I take no guarantee that this will work and not lock you out of some machines. Use at your own risk!
What it does is use ssh-copy-id to copy over your new key and using sed to remove your old key from authorized_keys file. $(cut -f2 ~/.ssh/id_rsa.pub | sed 's~/~\/~g') adds your old public key to the command so it is able to search for it and takes care to escape slashes. /some-string/d removes all lines matching string (in our case your old key) from the file.
Do this only if you have a lot of machines to change your key on and test it first on a machine you have physical access to or some other way to restore access if things go wrong. End of Update
After you replaced your old key you may rename your key to ~/.ssh/id_rsa so ssh finds it automatically. You might want to keep a backup of your old key in case you forgot a system to which you would otherwise not have access any more.
Update: to do so, simply run:
cd ~/.ssh
mv id_rsa id_rsa_old
mv id_rsa.pub id_rsa_old.pub
mv new-key id_rsa
mv new-key.pub id_rsa.pub
If you need to use your old key for something again, you can use ssh -i ~/.ssh/id_rsa_old to use it. Don't forget to add your new key to that machine and remove the old key.
answered Jun 1 at 20:18
Lienhart Woitok
808211
edited Jun 2 at 8:15
answered Jun 1 at 20:18
Lienhart Woitok
808211
answered Jun 1 at 20:18
Lienhart Woitok
808211
answered Jun 1 at 20:18
Lienhart Woitok
808211
808211
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
add a comment |Â
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
Thank you. May you please let me know how do I delete the old key as well, or rename them newly created key? I am fairly new with Linux commands, and I don't want to break the server
– pileup
Jun 2 at 7:28
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1042739%2fhow-to-replace-the-ssh-private-public-key-pair%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password