Checking ssh keys have passphrases
If a keyfile uses a passphrase it has "Proc-Type:" attribute set with the word "ENCRYPTED" appended.
So, you can determine if a keyfile uses passphrase by running it through find
and grep
to see if it has the string 'ENCRYPTED'.
# list keyfiles that USE a passphrase
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -exec grep -q "ENCRYPTED" {} \; -print
prints a list of files that have passphrases. Then you can match those against a list of all keyfiles to single out those that doesn't use a passphrase. A list of all keyfiles can be obtained e.g. by leaving the -exec
parameter out, as follows:
# list all keyfiles
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -print
Related videos on Youtube
Peter Farmer
I'm a Technical Architect who likes playing with python, google app engine and Amazons ec2/s3 etc....
Updated on September 17, 2022Comments
-
Peter Farmer over 1 year
I have a bunch of users, who with SSH keys have access to accounts on other servers. Currently I have a script which collects up the ssh public keys and distributes them to the correct account on the correct servers.
What I want to do, is get that script to check that any given users ssh key has a passphrase before accepting the public key and distributing it.
I've tried a number of things, like using an
ssh-agent
andssh-add
and then the problem comes whenssh-add
gets asked for passphrase.Is there a way to get something like
openssl
to check for passphrase, fail slightly with a return code of1
if the key has a passphrase?Thanks!
-
user1686 over 13 yearsCould you clarify whether the requirement is to have a passphrase or not to have it - and because of what reasons?
-
Peter Farmer over 13 yearsgrawity: My requirement is to make sure users have set passphrases on their ssh keys, only keys with passphrases will get distributed to the other servers.
-
-
Oneiroi almost 5 yearsNo longer possible with new SSH key format, the
Proc-Type
header is not written to the file, despite being encrypted.