How can I determine if someone's SSH key contains an empty passphrase?

security ssh users
25,439

Solution 1

Well, OpenSSH private keys with empty passphrases are actually not encrypted.

Encrypted private keys are declared as such in the private key file. For instance:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7BD2F97F977F71FC

BT8CqbQa7nUrtrmMfK2okQLtspAsZJu0ql5LFMnLdTvTj5Sgow7rlGmee5wVuqCI
/clilpIuXtVDH4picQlMcR+pV5Qjkx7BztMscx4RCmcvuWhGeANYgPnav97Tn/zp
...
-----END RSA PRIVATE KEY-----

So something like

# grep -L ENCRYPTED /home/*/.ssh/id_[rd]sa

should do the trick.

Solution 2

I looked all over for this and never found a satisfying answer, but I managed to construct one, so...

Note that this will update the file if it works, so if you're trying to not be noticed by the users whose keys you're testing, you may want to copy the key first. OTOH, since you just caught your user with a passwordless key, maybe you don't care if they notice. :D

$ ssh-keygen -p -P '' -N '' -f ~/.ssh/KEYTEST
Key has comment '/home/rlpowell/.ssh/KEYTEST'
Your identification has been saved with the new passphrase.
$ echo $?
0

$ ssh-keygen -p -P '' -N '' -f ~/.ssh/KEYTEST
Bad passphrase.
$ echo $?
1

Solution 3

If you have access to the private key, I suppose, you can use it without passphrase to authenticate against the public key. If this works you know it has no passphrase. If it had, it would give you an error message.

If you don't have access to the private key, I doubt you can detect this. The passphrase's purpose is to "unlock" the private key, it has no function in regard to the public key.

In fact, if it would, it would make the system less secure. One could use the public key, that is available to try to mount brute force or other attacks trying to crack the passphrase.

Share:
25,439

Related videos on Youtube

Mark Norgren
Author by

Mark Norgren

Updated on September 17, 2022

Comments

  • Mark Norgren
    Mark Norgren almost 2 years

    Some of my Linux & FreeBSD systems have dozens of users. Staff will use these "ssh gateway" nodes to SSH into other internal servers.

    We're concerned that some of these people use an unencrypted private SSH key (A key without a passphrase. This is bad, because if a cracker ever gained access to their account on this machine, they could steal the private key and now have access to any machine which uses this same key. For security reasons, we require all users to encrypt their private SSH keys with a passphrase.

    How can I tell if a private key is not-encrypted (e.g. Does not contain a passphrase)? Is there a different method to do this on an ASCII-armored key vs. a non-ASCII-armored key?

    Update:

    To clarify, assume I have superuser access on the machine and I can read everybody's private keys.

  • Mark Norgren
    Mark Norgren almost 14 years
    @jmanning2k : I just created an RSA private key with no passphrase, and it does not contain the string 'Encryption: none'.
  • bahamat
    bahamat almost 12 years
    @jmanning2k: the -L flag lists only file names that do not match the pattern. So this answer is correct on its own.
  • jmanning2k
    jmanning2k almost 12 years
    I stand corrected, comment removed for clarity. For the record, I have a few Putty private key files copied over, which do read 'Encryption: none'.
  • jrochkind
    jrochkind about 9 years
    Why not -N '' instead so that the passphrase is always left unchanged?
  • Sebastian Krysmanski
    Sebastian Krysmanski over 7 years
    +1 because this solution even works with SSH's new private key format.
  • Jack Wasey
    Jack Wasey over 7 years
    or string OPENSSH: see tedunangst.com/flak/post/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What audit log files are created in linux to track a users activities?
Invalid User vs. User Not Allowed in ssh log
Help! My server has been hacked - .IptabLes and .IptabLex in /boot
How to create a limited user account for SSH
Is there a way to check if others are logged into server when you are?
Ubuntu - saying your security settings have blocked an application from running with an out-of-date version of java
Does reinstalling openssh-server change the host key?
SSH shell prompt does not show user@host for one user
Allow paswordless user to change to another passwordless user
Disable interactive SSH at user-level