Re: How to forbid unencrypted Keys?

• Previous message: Dimitri Maziuk: "Re: Block IP"
• In reply to: Wolfgang: "How to forbid unencrypted Keys?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 21 Mar 2005 04:37:05 GMT

On 2005-03-20, Wolfgang <nobody@pappnas.de> wrote:
> I wonder why the SSH-Protokol dont care for the client Keys.

The SSH protocol was designed on the assumption that the two endpoints
are trusted but that the network between then is untrusted.

> My problem
> ist, I am responsible for the security on a central server, on which a
> lot of people use interactive login. I noticed serveral time, that due
> to their ease or lack of understanding sometimes people use unencrypted
> keys (and not ssh-agents). Because I am not able the scan the keys on
> all clients I want to restrict access only to encrypted keys. Is there a
> patch to openssh availible or any other ideas.

No. The ssh server can't tell that the client is storing the keys
unencrypted any more than /bin/login can tell that the user is writing
their password on a sticky-note.

> and furtheron the clients shouldnt use unencrypted keys on this server,
> are there a tool out there to scan secret keys for encryption (yes I
> have root ;-).

You can attempt to read the private keys with openssl with a null
passphrase. If the read succeeds (ie openssl returns zero) then the
key is not encrypted, eg:

$ openssl rsa -passin pass: -noout -in id_rsa 2>/dev/null && \
         echo unencrypted key

This won't help for private keys stored on systems that you do not have
access to.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

• Previous message: Dimitri Maziuk: "Re: Block IP"
• In reply to: Wolfgang: "How to forbid unencrypted Keys?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]