14

This is probably a noob question, but how can I determine if the public SSH key someone gives me has a passphrase or not?

We have a situation where I am not generating the SSH keys for users, but I want to make sure every SSH key I put on a server has a passphrase, but I get the feeling the passphrase is only part of the private key.

Thanks!

Peter Sankauskas
  • 698
  • 6
  • 11
  • 21

3 Answers3

28

This is not something you can determine from the public half of the key. Even if you could determine it, what's to stop the user from subsequently removing it?

When you remove the passphrase from the private side of the key, the public side doesn't change.

James F
  • 6,689
  • 1
  • 26
  • 24
7

You can not tell if a private key has a pass phrase or not.

James
  • 2,232
  • 1
  • 13
  • 19
-2

I think the passphrase is synchronous encryption of the private key so would not affect the public key. Technically it doesn't affect either key, as it is simply encrypting the data of the private key.

If you have a policy regarding requiring passphrases, you might also want to establish a policy regarding ssh-agent and agent forwarding since this stores the socket used to access the ssh-agent process in /tmp without much security outside of unix file permissions to protect it.

James
  • 407
  • 2
  • 4
  • I do not believe the key is stored unencrypted in /tmp. I believe it is stored in memory on the original machine the user entered the phase on. – James Jul 26 '09 at 14:03
  • Sorry, you're right, an unencrypted key not stored in /tmp. The ssh-agent socket is stored in /tmp and anyone with unix perms to access said socket can use the keys ssh-agent has for you. Still a pretty major security concern. – James Jul 27 '09 at 19:11