Some of my Linux & FreeBSD systems have dozens of users. Staff will use these “ssh gateway” nodes to SSH into other internal servers.
We’re concerned that some of these people use an unencrypted private SSH key (A key without a passphrase. This is bad, because if a cracker ever gained access to their account on this machine, they could steal the private key and now have access to any machine which uses this same key. For security reasons, we require all users to encrypt their private SSH keys with a passphrase.
How can I tell if a private key is not-encrypted (e.g. Does not contain a passphrase)? Is there a different method to do this on an ASCII-armored key vs. a non-ASCII-armored key?
Update:
To clarify, assume I have superuser access on the machine and I can read everybody’s private keys.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Well, OpenSSH private keys with empty passphrases are actually not encrypted.
Encrypted private keys are declared as such in the private key file. For instance:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,7BD2F97F977F71FC BT8CqbQa7nUrtrmMfK2okQLtspAsZJu0ql5LFMnLdTvTj5Sgow7rlGmee5wVuqCI /clilpIuXtVDH4picQlMcR+pV5Qjkx7BztMscx4RCmcvuWhGeANYgPnav97Tn/zp ... -----END RSA PRIVATE KEY-----
So something like
# grep -L ENCRYPTED /home/*/.ssh/id_[rd]sa
should do the trick.
Method 2
I looked all over for this and never found a satisfying answer, but I managed to construct one, so…
Note that this will update the file if it works, so if you’re trying to not be noticed by the users whose keys you’re testing, you may want to copy the key first. OTOH, since you just caught your user with a passwordless key, maybe you don’t care if they notice. 😀
$ ssh-keygen -p -P '' -N '' -f ~/.ssh/KEYTEST Key has comment '/home/rlpowell/.ssh/KEYTEST' Your identification has been saved with the new passphrase. $ echo $? 0 $ ssh-keygen -p -P '' -N '' -f ~/.ssh/KEYTEST Bad passphrase. $ echo $? 1
Method 3
If you have access to the private key, I suppose, you can use it without passphrase to authenticate against the public key. If this works you know it has no passphrase. If it had, it would give you an error message.
If you don’t have access to the private key, I doubt you can detect this. The passphrase’s purpose is to “unlock” the private key, it has no function in regard to the public key.
In fact, if it would, it would make the system less secure. One could use the public key, that is available to try to mount brute force or other attacks trying to crack the passphrase.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0