Some of my Linux & FreeBSD systems have dozens of users. Staff will use these "ssh gateway" nodes to SSH into other internal servers.
We're concerned that some of these people use an unencrypted private SSH key (A key without a passphrase. This is bad, because if a cracker ever gained access to their account on this machine, they could steal the private key and now have access to any machine which uses this same key. For security reasons, we require all users to encrypt their private SSH keys with a passphrase.
How can I tell if a private key is not-encrypted (e.g. Does not contain a passphrase)? Is there a different method to do this on an ASCII-armored key vs. a non-ASCII-armored key?
Update:
To clarify, assume I have superuser access on the machine and I can read everybody's private keys.
Best Answer
Well, OpenSSH private keys with empty passphrases are actually not encrypted.
Encrypted private keys are declared as such in the private key file. For instance:
So something like
should do the trick.