force private key to use a pass-phrase - SSH

This is a discussion on force private key to use a pass-phrase - SSH ; Is there a way to force users to use private keys that are pass-phrase protected? Or is there a way to tell if the key is pass-phrase protected based on the public key? Kevin...

+ Reply to Thread
Results 1 to 5 of 5

Thread: force private key to use a pass-phrase

  1. force private key to use a pass-phrase

    Is there a way to force users to use private keys that are pass-phrase
    protected?

    Or is there a way to tell if the key is pass-phrase protected based on
    the public key?

    Kevin


  2. Re: force private key to use a pass-phrase

    Kevin VW wrote:
    > Is there a way to force users to use private keys that are pass-phrase
    > protected?


    If you don't control the client, no. The server never sees the private
    key or passphrase, so it cannot tell.

    If you have full control of the client, then sure. Go look at the key
    and do something if it appears to have a null passphrase.

    > Or is there a way to tell if the key is pass-phrase protected based on
    > the public key?


    No. The passphrase is applied to the private key and can be changed at
    any time after generation.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  3. Re: force private key to use a pass-phrase

    Hello!
    You wrote on 27 Feb 2007 07:36:44 -0800:

    KV> Is there a way to force users to use private keys that are pass-phrase
    KV> protected?
    KV> Or is there a way to tell if the key is pass-phrase protected based on
    KV> the public key?

    No. Private keys are decrypted internally by SSH client application before
    they are used for authentication. I.e., it is not possible for server to
    detect if the particular key was originally encrypted, unencrypted or stored
    on a cryptographic token or in system private key storage.

    So the only way to force users to encrypt their keys is to introduce the
    corresponding security policy in the company. As an alternative solution,
    the server can use double authentication (both with private key and a
    password) to prevent users from authenticating with a private key without
    knowing the password too.

    With best regards,
    Innokentiy Ivanov
    EldoS Corporation



  4. Re: force private key to use a pass-phrase

    On Mar 1, 7:09 am, "Innokentiy Ivanov"
    wrote:
    > Hello!
    > You wrote on 27 Feb 2007 07:36:44 -0800:
    >
    > KV> Is there a way to force users to use private keys that are pass-phrase
    > KV> protected?
    > KV> Or is there a way to tell if the key is pass-phrase protected based on
    > KV> the public key?
    >


    > So the only way to force users to encrypt their keys is to introduce the
    > corresponding security policy in the company. As an alternative solution,
    > the server can use double authentication (both with private key and a
    > password) to prevent users from authenticating with a private key without
    > knowing the password too.


    Using OpenSSH, how would I configure sshd to use "double
    authentication"?


  5. Re: force private key to use a pass-phrase

    On 2007-03-01, Kevin VW wrote:
    > On Mar 1, 7:09 am, "Innokentiy Ivanov"
    > wrote:
    >> [...] As an alternative solution,
    >> the server can use double authentication (both with private key and a
    >> password) to prevent users from authenticating with a private key without
    >> knowing the password too.

    >
    > Using OpenSSH, how would I configure sshd to use "double
    > authentication"?


    With current releases, it's not supported so you can't. There's an
    open enhancement request for it:
    http://bugzilla.mindrot.org/show_bug.cgi?id=983

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread