openssh-portable icon indicating copy to clipboard operation
openssh-portable copied to clipboard
verified publisher icon openssh

ssh-keygen: New option -G for removing a key passphrase

Open kixorz opened this issue 3 years ago • 4 comments

Hello, I ran into a problem with ssh-keygen while using it from PowerShell. I needed to remove a passphrase from my private key and I determined there's no clean way to do so with the current ssh-keygen options and interface.

I fixed the problem by introducing a new -G option/switch that simply uses an empty passphrase from internal empty string.

Consider the following example:

Start-Process -FilePath "C:\Program Files\OpenSSH\ssh-keygen.exe" -ArgumentList ("-p", "-f", "C:\Users\Administrator\.ssh\id_rsa", "-P", "<current passphrase>", "-N", "")

The last argument, which is the new passphrase is empty.

Start-Process : Cannot validate argument on parameter 'ArgumentList'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command
again.

With this change applied the code becomes:

Start-Process -FilePath "C:\Program Files\OpenSSH\ssh-keygen.exe" -ArgumentList ("-p", "-f", "C:\Users\Administrator\.ssh\id_rsa", "-P", "<current passphrase>", "-G")

and the process to remove a passphrase becomes straightforward even from Powershell.

Please consider suggesting changes or merging this change.

kixorz avatar Nov 24 '22 05:11 kixorz

introducing a new -G option/switch

ssh-keygen option letters are a scarce resource.

Start-Process : Cannot validate argument on parameter 'ArgumentList'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

That very much sounds like a bug in Powershell. Borne type shells have been able to do this for roughly half a century.

daztucker avatar Nov 24 '22 05:11 daztucker

Thanks for your comment. I agree on the first point. On the second point I think it's some Powershell design decision.

I have considered a change that wouldn't require a new option, but it would change the behavior of the -N option and I think that would have been unpopular.

kixorz avatar Nov 25 '22 15:11 kixorz

Thanks for your comment. I agree on the first point. On the second point I think it's some Powershell design decision.

Reading some of the powershell issues eg https://github.com/MicrosoftDocs/PowerShell-Docs/issues/7701 it seems like it might be the API powershell uses (CommandLineToArgvW). If I'm reading that right, I think that adding a second set of quotes (ie -N "''") will get them passed to CommandLineToArgvW which should do what you want.

I have considered a change that wouldn't require a new option, but it would change the behavior of the -N option and I think that would have been unpopular.

Yeah that's a non-starter.

daztucker avatar Nov 25 '22 20:11 daztucker

Thanks for the suggestion and confirmation of my thoughts around changing -N. I already went through testing various workarounds, including the one you're suggesting:

Start-Process -FilePath "C:\Program Files\OpenSSH\ssh-keygen.exe" -ArgumentList ("-p", "-f", "C:\users\Administrator\.ssh\id_rsa", "-P", "asdf", "-N", "''")

It unfortunately just sets the new passphrase to '' (two single quotes).

kixorz avatar Nov 26 '22 01:11 kixorz