Prevent or at least detect empty passphrases (NFS homes) - SSH

This is a discussion on Prevent or at least detect empty passphrases (NFS homes) - SSH ; Hello, we're using OpenSSH 3. x mostly on RHEL 3/4/5 PCs, but also have few HP-UX and Solaris machines here. And we have about 1000 users with their home dirs on an NFS-server (NetApp). I'm looking for a possibility to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Prevent or at least detect empty passphrases (NFS homes)

  1. Prevent or at least detect empty passphrases (NFS homes)

    Hello,

    we're using OpenSSH 3. x mostly on RHEL 3/4/5 PCs, but also
    have few HP-UX and Solaris machines here. And we have about
    1000 users with their home dirs on an NFS-server (NetApp).

    I'm looking for a possibility to prevent our users from
    creating and using SSH keys with empty passphrases.

    Or at least make it not so easy for them (maybe
    some shell alias or script for ssh-add or ssh-keygen?)

    Also I'm looking for a shell/perl script which I could run
    regularly and find which users have an SSH key with
    no passphrase. Yes, as a "root" I can "su" to any user
    and then try to login to another machine. If the login
    succeeds, then the user's SSH key has no passphrase.
    But how do I script it?

    Thank you!
    Alex

    PS: Please do not reply with "PermitEmptyPasswords yes",
    because I'm asking about passphrases, not passwords.

    PPS: Yes, I do realize that nothing can be done on the sshd
    side, because it is too late and the server only sees the key.


  2. Re: Prevent or at least detect empty passphrases (NFS homes)

    A. Farber wrote:
    > I'm looking for a possibility to prevent our users from
    > creating and using SSH keys with empty passphrases.


    You must be able to see the key to detect this. So if it's happening on
    machines you don't control, this is difficult.

    > Or at least make it not so easy for them (maybe
    > some shell alias or script for ssh-add or ssh-keygen?)


    > Also I'm looking for a shell/perl script which I could run
    > regularly and find which users have an SSH key with
    > no passphrase. Yes, as a "root" I can "su" to any user
    > and then try to login to another machine. If the login
    > succeeds, then the user's SSH key has no passphrase.
    > But how do I script it?


    You don't need to log in. You can use ssh-keygen to read the private
    key and print the public key (-y). If it doesn't prompt for the old
    passphrase, then the current one is null.

    Unfortunately, ssh-keygen doesn't take a BatchMode option, so I don't
    know how to prevent it from being interactive when the key is present
    (other than with something external like expect).

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  3. Re: Prevent or at least detect empty passphrases (NFS homes)

    Here is my solution for the archives:


    #!/bin/sh

    # The script for finding unprotected SSH keys by A. Farber

    HOMES=/mnt/netapp01/user_dirs/home

    # these 2 vars and ssh-add passphrase prompt
    export DISPLAY=dummy
    export SSH_ASKPASS=/bin/false

    eval `ssh-agent -s -t 10` || exit

    # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
    find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
    -name 'id_[dr]sa' -o -name identity | \
    while read ssh_key_file; do
    if ssh-add -t 10 $ssh_key_file /dev/null
    2>&1; then
    echo "$ssh_key_file - EMPTY PASSPHRASE"
    else
    echo "$ssh_key_file - OK"
    fi
    done

    eval `ssh-agent -k`


  4. Re: Prevent or at least detect empty passphrases (NFS homes)

    On 2007-08-08, A. Farber wrote:

    Doing find under home directories looks wasteful. You can get a list
    of home directories from getpwent() and look for each of the
    ..ssh/id_dsa, .ssh/id_rsa or .ssh/identity in those only.

    If you're using home directories on NFS you've got all the insecurity
    that some with that.

    I'd read each file as the user in question, not as root.

    And what do you do with the user who links .ssh/identity to /dev/random ?


    > Here is my solution for the archives:
    >
    > #!/bin/sh
    >
    > # The script for finding unprotected SSH keys by A. Farber
    >
    > HOMES=/mnt/netapp01/user_dirs/home
    >
    > # these 2 vars and ssh-add > export DISPLAY=dummy
    > export SSH_ASKPASS=/bin/false
    >
    > eval `ssh-agent -s -t 10` || exit
    >
    > # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
    > find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
    > -name 'id_[dr]sa' -o -name identity | \
    > while read ssh_key_file; do
    > if ssh-add -t 10 $ssh_key_file /dev/null
    > 2>&1; then
    > echo "$ssh_key_file - EMPTY PASSPHRASE"
    > else
    > echo "$ssh_key_file - OK"
    > fi
    > done
    >
    > eval `ssh-agent -k`
    >


    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/

  5. Re: Prevent or at least detect empty passphrases (NFS homes)

    In article <1186582492.074266.270070@q75g2000hsh.googlegroups. com>,
    Alexander.Farber@gmail.com says...
    > Here is my solution for the archives:
    >
    >
    > #!/bin/sh
    >
    > # The script for finding unprotected SSH keys by A. Farber
    >
    > HOMES=/mnt/netapp01/user_dirs/home
    >
    > # these 2 vars and ssh-add > passphrase prompt
    > export DISPLAY=dummy
    > export SSH_ASKPASS=/bin/false
    >
    > eval `ssh-agent -s -t 10` || exit
    >
    > # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
    > find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
    > -name 'id_[dr]sa' -o -name identity | \
    > while read ssh_key_file; do
    > if ssh-add -t 10 $ssh_key_file /dev/null
    > 2>&1; then
    > echo "$ssh_key_file - EMPTY PASSPHRASE"
    > else
    > echo "$ssh_key_file - OK"
    > fi
    > done
    >
    > eval `ssh-agent -k`


    Hi, good solution
    I've another one, which may help :

    Looking at a private key, with no passphrase :

    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAtK74+E3ujD0OqI509n/2gNlStSmilGTqFhIzUDytXs/P38DC

    Looking at a private key, with a passphrase :

    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,14F4FBFD11BC6F56

    km15JyS7W4x1dwj2pxObTqgTunl7mJaogUuU2lJ7KJdVQtGSYe +1Yrgmr3wOgcSm


    Why don't you search with a "find" all the keys that do NOT contain the
    "ENCRYPTED" line ?

    something like (add more options if you like, but, I've just woken up
    ) :
    find all => find /path/you/want/ -type f -name "id*" -print
    find encrypted => find /path/you/want/ -type f -name "id*" -exec grep
    "ENCRYPTED" {} \; -print

    then you have 2 lists : all and encrypted private keys.
    If you want the NOT encrypted ones, just a (sort + diff) should make it


    I think it would be less consumming in CPU usage, and a little more for
    disk than the previous solution.

    Just my 2 cents.
    Rgds

+ Reply to Thread