So I mistook input fields and now my SSH key passphrase is visible to the world,

Question

So I mistook input fields and now my SSH key passphrase is visible to the world, and I can't even remove it.

Now as far as I understand, this is not an immediate security concern, since the passphrase only protects against the case of my private key itself getting disclosed. Since that hasn't happened (they key only exists on hardware I own), I at most have to change the passphrase in case it happens in the future, I don't have to change to a different SSH key everywhere I've used it.

Is that correct? Keeping in mind that all of this is for private projects and a hypothetical breach could at most be annoying and embarassing.

Explanation / Answer

Changing the passphrase of an existing key can be done with:

ssh-keygen -p

...you are however not done by now. You also have to take consider copies of your old keys, these need to be removed or it should be treated as compromised. Think of backups, but also data on filesystems (copy-on-write filesystems such as ZFS and btrfs could keep a copy somewhere on the storage backend).

Changing your passphrase is a short-term solution if you believe that your keyfile file can be leaked. If you cannot be sure that all copies of your old private key are gone, then you should consider changing your private key file.

Do not forget about all services where your public key is attached too. Leaking your key is one issue, breaching other systems would be a bad side-effect.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.