Security actions on unprotected SSH Keys (Staff/PhD)

Please follow this guide to encrypt your SSH private keys

 

Self-managed devices

Users on self-managed devices are strongly advised to review the security of their SSH keys and remove them if the are not protected with a passphrase.

You will know if your keys are protected with a passphrase if your get prompted for it when you try to connect to ‘frank’ or any other Compute Server.

Bellow you will find some guidelines to find out if you have unprotected SSH keys for the 3 main Operating Systems:

SSH Private keys generated using Putty or MobaXterm have the extension .ppk. Search your Windows device for files with such extension.

Open the file with Notepad (or any text editor).

Secure Private SSH Key

A secure private key protected with a passphrase has something like that at the top (attention at the ‘Encryption‘ line) :

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: rsa-key-20171114
Public-Lines: 6

The ‘Encryption‘ line shows the encryption algorithm used to protect your private key when you generated.

Unprotected Private SSH Key

An unprotected private key has something like that at the top (attention at the ‘Encryption‘ line) :

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20200506
Public-Lines: 6

If your private key mentions there is no Encryption, as above, DELETE the private and public keys immediately and generate a new one, following our guide here: http://support.eecs.qmul.ac.uk/services/ssh/

On your self-managed Linux device, open a Terminal and run the following command on your Private SSH key:

$ ssh-keygen -y -P "" -f <PATH_TO_PRIVATE_SSH_KEY>

Secure Private SSH Key

If the output of the command is incorrect passphrase supplied to decrypt private key , it means your key is already encrypted. For example:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_encrypted
Load key "/home/harry/.ssh/id_rsa)_encrypted": incorrect passphrase supplied to decrypt private key

Unprotected Private SSH Key

If the output is the Public Key, associated to that particular private key, it means your key is not protected, for .e.g:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_no_encryption
ssh-rsa AAFFGFFFAAB3NzaC1yc2EAAAADAQABAAABAQDEzlgGMuIV1dRHo5E7CJbOF8QHMz2G/ndqP8GwKzmqS5jKiwghAKprp1vB2Q5jcHIN7/ycOEYQw4HzvHqKd2BpygArQCiMqnkgHVRogzJEUIuQ0qNAe2ao+krCJz12Ihz

 

On your self-managed MacOS device, open a Terminal and run the following command on your Private SSH key:

$ ssh-keygen -y -P "" -f <PATH_TO_PRIVATE_SSH_KEY>

Secure Private SSH Key

If the output of the command is incorrect passphrase supplied to decrypt private key , it means your key is already encrypted. For example:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_encrypted
Load key "/home/harry/.ssh/id_rsa)_encrypted": incorrect passphrase supplied to decrypt private key

Unprotected Private SSH Key

If the output is the Public Key, associated to that particular private key, it means your key is not protected, for .e.g:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_no_encryption
ssh-rsa AAFFGFFFAAB3NzaC1yc2EAAAADAQABAAABAQDEzlgGMuIV1dRHo5E7CJbOF8QHMz2G/ndqP8GwKzmqS5jKiwghAKprp1vB2Q5jcHIN7/ycOEYQw4HzvHqKd2BpygArQCiMqnkgHVRogzJEUIuQ0qNAe2ao+krCJz12Ihz