Checking ssh keys have passphrases

8

1

I have a bunch of users, who with SSH keys have access to accounts on other servers. Currently I have a script which collects up the ssh public keys and distributes them to the correct account on the correct servers.

What I want to do, is get that script to check that any given users ssh key has a passphrase before accepting the public key and distributing it.

I've tried a number of things, like using an ssh-agent and ssh-add and then the problem comes when ssh-add gets asked for passphrase.

Is there a way to get something like openssl to check for passphrase, fail slightly with a return code of 1 if the key has a passphrase?

Thanks!

Peter Farmer

Posted 2010-10-19T11:01:13.750

Reputation: 183

Could you clarify whether the requirement is to have a passphrase or not to have it - and because of what reasons? – user1686 – 2010-10-19T13:13:50.753

grawity: My requirement is to make sure users have set passphrases on their ssh keys, only keys with passphrases will get distributed to the other servers. – Peter Farmer – 2010-10-19T13:39:25.517

Answers

11

If a keyfile uses a passphrase it has "Proc-Type:" attribute set with the word "ENCRYPTED" appended.

So, you can determine if a keyfile uses passphrase by running it through find and grep to see if it has the string 'ENCRYPTED'.

# list keyfiles that USE a passphrase
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -exec grep -q "ENCRYPTED" {} \; -print

prints a list of files that have passphrases. Then you can match those against a list of all keyfiles to single out those that doesn't use a passphrase. A list of all keyfiles can be obtained e.g. by leaving the -exec parameter out, as follows:

# list all keyfiles
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -print

Jawa

Posted 2010-10-19T11:01:13.750

Reputation: 3 349

No longer possible with new SSH key format, the Proc-Type header is not written to the file, despite being encrypted. – Oneiroi – 2019-08-02T14:29:43.430

Asked: 2010-10-19T11:01:13.750

Viewed: 5 252 times

Active: 2010-10-19T12:29:45.907