Ssh – How to determine if someone’s SSH key contains an empty passphrase

Securitysshusers

Some of my Linux & FreeBSD systems have dozens of users. Staff will use these "ssh gateway" nodes to SSH into other internal servers.

We're concerned that some of these people use an unencrypted private SSH key (A key without a passphrase. This is bad, because if a cracker ever gained access to their account on this machine, they could steal the private key and now have access to any machine which uses this same key. For security reasons, we require all users to encrypt their private SSH keys with a passphrase.

How can I tell if a private key is not-encrypted (e.g. Does not contain a passphrase)? Is there a different method to do this on an ASCII-armored key vs. a non-ASCII-armored key?

Update:

To clarify, assume I have superuser access on the machine and I can read everybody's private keys.

Best Answer

Well, OpenSSH private keys with empty passphrases are actually not encrypted.

Encrypted private keys are declared as such in the private key file. For instance:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7BD2F97F977F71FC

BT8CqbQa7nUrtrmMfK2okQLtspAsZJu0ql5LFMnLdTvTj5Sgow7rlGmee5wVuqCI
/clilpIuXtVDH4picQlMcR+pV5Qjkx7BztMscx4RCmcvuWhGeANYgPnav97Tn/zp
...
-----END RSA PRIVATE KEY-----

So something like

# grep -L ENCRYPTED /home/*/.ssh/id_[rd]sa

should do the trick.

Related Solutions

Ssh – Is it really possible to directly steal a private key if it uses no passphrase

That question is worried about private keys stored on the server unencrypted. It's a scenario like:

workstation 1 ---> gateway -> final server
     ⋮               |
workstation n ------/

and the OP is worried about private keys on "gateway", which is a shared machine with multiple users.

It is not possible to steal the private key by compromising the server, only the machine the key is actually stored on. If you use ssh agent forwarding, then its possible to use the key without stealing it (to log into another machine, for example), if you do not have ssh-agent prompt first.

But you should still encrypt your private keys, in case your workstation is compromised. Or, especially in the case of a laptop, lost or stolen.

SSH using keys in external storage – permissions

ssh-add doesn't have an option to bypass its check of the key permissions. You could recompile the program and disable the check.

A bindfs should work. You don't need to mount it at ~/.ssh, mount it at a special-purpose location and write a script that does ssh-add ~/.ssh-private-keys-bindfs.

Note that ssh is right in that your setup is pretty insecure. You must make sure never to plug that drive into a computer where you are not the sole user.

Best Answer

Related Solutions

Ssh – Is it *really* possible to directly steal a private key if it uses no passphrase

SSH using keys in external storage – permissions

Related Question

Ssh – Is it really possible to directly steal a private key if it uses no passphrase