I try to do as described here - Adding or changing a passphrase -
ssh-keygen -p
# Start the SSH key creation process
# Enter file in which the key is (/Users/you/.ssh/id_rsa): [Hit enter]
# Key has comment '/Users/you/.ssh/id_rsa'
# Enter new passphrase (empty for no passphrase): [Type new passphrase]
# Enter same passphrase again: [One more time for luck]
# Your identification has been saved with the new passphrase.
but I don't sure about my passphrase .
I have under - C:\Users\XXXX\.ssh the two related files -
id_rsa.pub -
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1VSOsednPUPolm08iQ1lIkaJrThIZ2l4cMUSWbyPaVYRVECrRhbLogHlPRpD4//wU3oskdmckdkdjkdlacQ3hQljEv1yLCA6tK5suOz3qn8Q5JGeD9FuL066yrwD+cOEeRGgPf+1fmx+v4rD8lHwT2BgtIThHtNlQGMhW/K64nZl98lyn3HMrrlL94is70VstVu6Yx9r4mFOi/GYdMZFDwUEWiI2t8aWtLRakKws5tcxgJ57zuLsXMk7d8nayYYLeH1SaP29px98Mo4VOF21maznwqhAgtbDgEEbic3D1Rbdnxj6h/DgolaMOTQ== dsmskdmc#gmail.com
github_rsa.pub -
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzsrncWjrpJMl18Tmodm7Jv1MdfY7v4NjDNjt1CfwJ/6z7agtKcn44016EYdPHNl7nM9czxczxczxczczfdfdcxcxcxBqjsKMUQb6p2hV5WGJQJysUSEA3y7s/mDW5QoHBbB0sx4a6a0C5hQi3FIn5seAfiWxTSXQHBWReLgR+EtnvdqVRIhqYgmEQ16CCr9XcVLbdByZlTCWQpD7Sldp6ocgwXlKIY/WQyhaIL8EMfhoMZofTaGXkLfVwww7hIuFDiaR2IOq9PxbZfn3wH+BSbvmpsl+RPVM1zcwEPdse+YceubJDMrSBP0GdQ== dsdsds#dsdsL-THINK
Can I restore the passphrase by the above or maybe you have any other suggest ?
UPDATE:
Following #IdanArye answer did the follow -
Deleted all previous passwords -
Add new SSH key according to the content in the id_rsa.pub file -
Back to my question , what I have to do now to reveal my passphrase ?
Still I get -
C:\Users\XXX\Documents\GitHub> ssh-keygen -p
Enter file in which the key is (/c/Users/XXXX/.ssh/id_rsa):
Enter old passphrase:
Bad passphrase.
when I enter the new generated SSH Key .
Update 2:
again , following #IdanArye updating - I did the follow in the Git Shell -
C:\Users\XXXX\Documents\GitHub> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/XXXX/.ssh/id_rsa):
/c/Users/XXXXXX/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /c/Users/XXXX/.ssh/id_rsa.
Your public key has been saved in /c/Users/Uriel/.ssh/id_rsa.pub.
The key fingerprint is:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TTTTTT#UUUUUUU-THINK
C:\Users\XXXXXX\Documents\GitHub>
1) Does what I entered here is consider as my new passphrase ?
2) From here , how to generate a new set of public key, private key and passpharse ?
You can't. At least - I hope you can't. If you could that would mean the whole passpharse mechanism is broken since anyone who has your private key file will be able to reset or restore your passpharse and use your private key.
True - other people shouldn't get a hold of your private key file in the first place - but that's not always feasible and that's why you use a passpharse as another layer of security.
Instead of trying to restore your passpharse, you should consider creating a new RSA key. If you only use it for Github you can just update your new public key at https://github.com/settings/ssh. If you use it with other sites you should also update it there - if you forgot your passpharse chances are you don't use your RSA key that often and don't have your public key registered in too many places...
And next time - remember your passpharse!
Update(answering the question's update):
There is no point in removing the old public key from GitHub if you are just going to re-add the same public key.
In order to use that public key you need the private key associated with it. In order to use a private key you need the passpharse it's encrypted in it. If you forgot that passpharse, you can't use that private key which means you can't decrypt messages encrypted with that public key or encrypt messages that'll be decrypted with that public key, so there is no point in registering that public key in GitHub.
That public key is lost for you. Unless you somehow recall the passpharse - you need a new set of public key, private key and passpharse.
The -p flag of ssh-keygen is used for changing the passpharse, and as you have witnessed you need the old passpharse to do so. If you call ssh-keygen without the -p flag you will be able to create a new key, with a new passpharse. This new key is the one you need to register on GitHub(and any other site that require it for SSH access)
Update2(answering the question's update2):
Yes, what you have entered there is your new passpharse.
You already did! Notice this part in your interactive shell session log:
/c/Users/XXXXXX/.ssh/id_rsa already exists.
Overwrite (y/n)? y
This means you have overwritten the old id_rsa file and a new one is created. This new id_rsa file is your new private key, encrypted with your new passpharse. ssh-keygen has also overwritten the matching id_rsa.pub file with your new public key. You can tell that by looking at the output lines:
Your identification has been saved in /c/Users/XXXX/.ssh/id_rsa.
Your public key has been saved in /c/Users/XXXX/.ssh/id_rsa.pub.
identification here means the private key encrypted with the passpharse.
Related
I have been given a key called Access.pem and I am trying to launch an AWS instance.
In Step 7: Review Instance Launch, when I attempt to launch the instance I get the following error:
No keys pairs found.
You don't have any key pairs. Please create a new key pair by selecting the
Create a new key pair option above to continue.
I have attempted to import my key pair with the steps outlined by amazon (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)
This includes:
Placing Access.pem in ~/.ssh/authorized_keys
And importing the key via the Amazon EC2 console at https://console.aws.amazon.com/ec2/
In the second attempt when browsing for the key, the Access.pem key cannot be selected on my Mac. When I copy the contents, I am informed the key is too long.
How can I use this key?
A key-pair is often given to employees by their institution. As such I will assume this is the case. If you have exhausted all other options, I would contact your IT department to make sure they have added you.
Next time you log in (assuming you have been granted access), your company key-pairs should be available.
basically when we launch an instance there is option to create a new key pair, and after downloading the key pair save option marked as checked we can proceed to launch an instance. we can create a key pair from key pairs section from before. If you are sure that you have created a key pair as you mentioned "Access.pem" then be sure in which region you have created the key pair. If you create a key pair in the regin "us-east-1-a North Virginia" and if you try to launch an instance in other region like "us-east-2-a -Ohio" in this case you will not find the key pair. when launchin an ec2-instance or any other service that needs key pairs will not suggest the key pair (when the region is changed), check this things.
and while doing ssh from terminal if it is windows/mac/linux be sure you have set the permission of the pem file as 400. using like this "chmod 400 Access.pem"
I recently changed the region of my EC2 instance via creating an AMI of the previous instance and sending it to the new region and launching a new instance from it. However, it now uses the key in the key pair in the old region.
In order to avoid confusion for myself in the future, I want to move the key from the key pair in the old region to the new region (so I have everything in the same region)
I can import the key into the new region, but to do so I need the public key. Question is, I have no idea how to get the public key. I've Googled and looked everywhere, can't find how to get the public half of my key on file so I can import it in the new region
How do I get the public key file?
Thanks in advance
Found the answer.
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html#retrieving-the-public-key-windows
On your local Windows computer, you can use PuTTYgen to get the public key for your key pair.
Start PuTTYgen, choose Load, and select the .ppk or .pem file. PuTTYgen displays the public key.
Thank you, anyway
If you can login to the ec2 instance, you should be able to go to your ~/.ssh folder. You should see something like this:
You need to know the name of your public key. In my case, this is id_rsa.pub. Now you can open a terminal on your local computer and use scp command to copy the file into your local.
l$ scp -i ~/.ssh/your_key.pem your_user_name#11.12.123.34:/home/your_user_name/.ssh/id_rsa.pub ~/Desktop
id_rsa.pub 100% 405 16.5KB/s 00:00
Now you should have the public key on your Desktop. Now you can go the new EC2, login into it (using password) and copy and paste the text in the id_rsa.pub into any file you want.
I have run into trouble
I have ec2 instance. I connected to it via ssh.
I wanted to set up POST hook for git.
And accidentally removed authorised_keys from /.ssh directory
My question is : if I am still connected to my aws instance can I copy myKey.pem to /.ssh directory ?
I want to omit instance restore process
Thank you in advance !))
If you can't find the public key that corresponds to your current .pem file, just generate a new key pair, and add that public key to your ~/.ssh/authorized_keys file! You could use AWS to generate the new key pair, or check out these popular instructions from GitHub: help.github.com/articles/generating-ssh-keys.
I lost my .pem file due to which I am not able to login to my ec2 instance. Luckily I had my machine key added to the auth_keys file, so I am able to login using it. I removed the master pub key from the auth_keys file and restarted sshd service. But my colleague who is having the master.pem key file is still able to login to the instance. Am I missing something to disable the complete access to the instance using the master.pem file.
Please advice.
Thanks
Does the auth_keys file exist in two places? Maybe you deleted the wrong one? Maybe you should try changing the fingerprint of the server.
New commentary: removing the public key doesn't affect the private key. The master pem file may be associated with the private key. If the private key remains, other public keys will still work. The topic says "Remove key pair." But the description doesn't indicate removing the private key.
I'm trying to import an existing keypair from my computer to use in EC2. But once I click "Yes, Import", the fingerprint Amazon shows doesn't match the fingerprint shown by ssh -lf for the same key. I've verified that they're the same key, tried reimporting the key, etc. The common practice seems to be to use the "Create Key Pair" part instead, but I'd prefer to use my usual SSH keypair. I'm also unable to login using SSH into an instance that's set to use this keypair (I get Permission denied (publickey).).
Has anyone encountered such issues with AWS? Any insights into what the issue might be?
There seems to be an answer in the AWS forums for the fingerprint difference. I'm pasting the content here for posterity:
Hello,
I discussed with my colleagues and looks like it is a limitation from
our end to provide keypair in different format. You'll notice the
different lengths of the Amazon-generated Key Pair and the Import Key
Pair. In the case of an Amazon-generated Key Pair, the Fingerprint is
for the Private Key, while if you use Import Key Pair the fingerprint
is for your public key. Amazon does not retain a copy of the generated
Private Key, but the EC2 command line tools do provide a way to
reproduce the SSH2 MD5 fingerprint:
ec2-fingerprint-key ./testpair1-private.pem
61:26:cc:7d:2a:2c:a4:e9:fb:86:ca:ef:57:d6:68:f8:24:bc:59:cd
This should match what you see in the console for the region in which
you created the key, such as US-West-1 (North California).
Unfortunately the ec2-fingerprint-key command-line tool does not
fingerprint public keys. If you import the public key in another
region such as US-East-1, the web AWS Console will only display the
fingerprint of the public key.
Secondly, the AWS Console should be more clear on exactly what type of
fingerprint it displays, which is the "MD5 public key fingerprint as
specified in section 4 of RFC4716" (also known as SSH2 format) as
mentioned here:
http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-ImportKeyPair.html
We have already put in a feature request for the web-based AWS Console
to support the more common OpenSSH format. Unfortunately I was not
able to find any user-friendly tools to generate the SSH2/RFC4716
format fingerprint, though I did find that you can import the same
public key in your original region (with a name such as "Test2") and
match the shown fingerprint between regions.
(emphases mine)
As he mentions, I too wasn't able to locate any tool to generate the SSH2/RFC4716 format fingerprint. This at least solves the mystery of mismatching fingerprints (at least if we assume ssh-keygen -lf gives output in the "more common OpenSSH format", please correct me if this assumption is wrong); I'm still getting a Permission denied (publickey) when i try to ssh, but I'll assume it's not an actual key mismatch now and explore other avenues.
Here's an alternative way to verify finger print:
openssl pkcs8 -in my-aws-key.pem -nocrypt -topk8 -outform DER | openssl sha1 -c