ssh-keygen -y
ssh-keygen -y will prompt you for the passphrase (if there is one).
If you input the correct passphrase, it will show you the associated public key.
If you input the wrong passphrase, it will display load failed.
If the key has no passphrase, it will not prompt you for a passphrase and will immediately show you the associated public key.
e.g.,
Create a new public/private key pair, with or without a passphrase:
$ ssh-keygen -f /tmp/my_key
...
Now see if you can access the key pair:
$ ssh-keygen -y -f /tmp/my_key
Following is an extended example, showing output.
Create a new public/private key pair, with or without a passphrase:
$ ssh-keygen -f /tmp/my_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/my_key.
Your public key has been saved in /tmp/my_key.pub.
The key fingerprint is:
de:24:1b:64:06:43:ca:76:ba:81:e5:f2:59:3b:81:fe rob@Robs-MacBook-Pro.local
The key's randomart image is:
+--[ RSA 2048]----+
| .+ |
| . . o |
| = . + |
| = + + |
| o = o S . |
| + = + * |
| = o o . |
| . . |
| E |
+-----------------+
Attempt to access the key pair by inputting the correct passphrase.
Note that the public key will be shown and the exit status ($?) will be 0 to indicate success:
$ ssh-keygen -y -f /tmp/my_key
Enter passphrase:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBJhVYDYxXOvcQw0iJTPY64anbwSyzI58hht6xCGJ2gzGUJDIsr1NDQsclka6s0J9TNhUEBBzKvh9nTAYibXwwhIqBwJ6UwWIfA3HY13WS161CUpuKv2A/PrfK0wLFBDBlwP6WjwJNfi4NwxA21GUS/Vcm/SuMwaFid9bM2Ap4wZIahx2fxyJhmHugGUFF9qYI4yRJchaVj7TxEmquCXgVf4RVWnOSs9/MTH8YvH+wHP4WmUzsDI+uaF1SpCyQ1DpazzPWAQPgZv9R8ihOrItLXC1W6TPJkt1CLr/YFpz6vapdola8cRw6g/jTYms00Yxf2hn0/o8ORpQ9qBpcAjJN
$ echo $?
0
Attempt to access the key pair by inputting an incorrect passphrase.
Note that the "load failed" error message will be displayed (message may differ depending on OS) and the exit status ($?) will be 1 to indicate an error:
$ ssh-keygen -y -f /tmp/my_key
Enter passphrase:
load failed
$ echo $?
1
Attempt to access a key pair that has no passphrase. Note that there is no prompt for the passphrase, the public key will be displayed, and the exit status ($?) will be 0 to indicate success:
$ ssh-keygen -y -f /tmp/my_key_with_no_passphrase
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLinxx9T4HE6Brw2CvFacvFrYcOSoQUmwL4Cld4enpg8vEiN8DB2ygrhFtKVo0qMAiGWyqz9gXweXhdmAIsVXqhOJIQvD8FqddA/SMgqM++2M7GxgH68N+0V+ih7EUqf8Hb2PIeubhkQJQGzB3FjYkvRLZqE/oC1Q5nL4B1L1zDQYPSnQKneaRNG/NGIaoVwsy6gcCZeqKHywsXBOHLF4F5nf/JKqfS6ojStvzajf0eyQcUMDVhdxTN/hIfEN/HdYbOxHtwDoerv+9f6h2OUxZny1vRNivZxTa+9Qzcet4tkZWibgLmqRyFeTcWh+nOJn7K3puFB2kKoJ10q31Tq19
$ echo $?
0
Note that the order of arguments is important. -y must come before -f input_keyfile, else you will get the error Too many arguments..
Best Solution
Short answer:
This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).
If you would like to do it all on one line without prompts do:
Important: Beware that when executing commands they will typically be logged in your
~/.bash_historyfile (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.Notice though that you can still use
-f keyfilewithout having to specify-Pnor-N, and that the keyfile defaults to~/.ssh/id_rsa, so in many cases, it's not even needed.You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.