private key with no passphrase detection - SSH

This is a discussion on private key with no passphrase detection - SSH ; I want to enforce private key authentication as a matter of policy. I would like to detect private keys which do not have a passphrase. How would I go about detecting this so I can get the user to recreate ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: private key with no passphrase detection

  1. private key with no passphrase detection

    I want to enforce private key authentication as a matter of policy. I
    would like to detect private keys which do not have a passphrase. How
    would I go about detecting this so I can get the user to recreate
    their key?


  2. Re: private key with no passphrase detection

    Greg Copeland wrote:
    > I want to enforce private key authentication as a matter of policy.


    You can do that with OpenSSH. What software are you using?

    > I would like to detect private keys which do not have a passphrase.
    > How would I go about detecting this so I can get the user to recreate
    > their key?


    Do you have access to the client keys? The SSH server never sees the
    key file, (nor the key itself), so it cannot detect or enforce any
    restrictions on the user's key.

    You could examine the keys directly with a key tool (like ssh-keygen) to
    see if a passphrase is present. Again, that would depend on the exact
    software in use.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  3. Re: private key with no passphrase detection

    On 14 Sep, 21:37, ddun...@taos.com (Darren Dunham) wrote:
    > Greg Copeland wrote:
    > > I want to enforce private key authentication as a matter of policy.

    >
    > You can do that with OpenSSH. What software are you using?
    >
    > > I would like to detect private keys which do not have a passphrase.
    > > How would I go about detecting this so I can get the user to recreate
    > > their key?

    >
    > Do you have access to the client keys? The SSH server never sees the
    > key file, (nor the key itself), so it cannot detect or enforce any
    > restrictions on the user's key.
    >
    > You could examine the keys directly with a key tool (like ssh-keygen) to
    > see if a passphrase is present. Again, that would depend on the exact
    > software in use.


    Translated: there is no way for the SSH *server* to detect whether a
    private key has a passphrase. I personally wish that the key
    generation tools would refuse to provide a passphase-free key without
    a special command line option added, to discourage unwary users from
    finding it so easy to simply not type in a passphase and get a
    passphase-less key.


  4. Re: private key with no passphrase detection

    On 2007-09-15, Nico wrote:

    > private key has a passphrase. I personally wish that the key
    > generation tools would refuse to provide a passphase-free key without
    > a special command line option added, to discourage unwary users from


    You need to get out and meet more users. If such a command-line option
    existed it would be the _one_ that they were all familiar with.

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/

  5. Re: private key with no passphrase detection

    all mail refused writes:

    > On 2007-09-15, Nico wrote:
    >
    >> private key has a passphrase. I personally wish that the key
    >> generation tools would refuse to provide a passphase-free key without
    >> a special command line option added, to discourage unwary users from

    >
    > You need to get out and meet more users. If such a command-line option
    > existed it would be the _one_ that they were all familiar with.
    >


    I think he means the same sort of gymnastics required to use cypher
    'none', i.e. you have to build you own version, and know how to figure
    out the config option to build the capability into ssh-keygen.


    --
    #include /* I don't speak for IBM ... */
    /* Heck, I don't even speak for myself */
    /* Don't believe me ? Ask my wife :-) */
    Richard D. Latham lathamr@us.ibm.com

  6. Re: private key with no passphrase detection

    On 15 Sep, 22:01, lath...@us.ibm.com (Richard D. Latham) wrote:
    > all mail refused writes:
    >
    > > On 2007-09-15, Nico wrote:

    >
    > >> private key has a passphrase. I personally wish that the key
    > >> generation tools would refuse to provide a passphase-free key without
    > >> a special command line option added, to discourage unwary users from

    >
    > > You need to get out and meet more users. If such a command-line option
    > > existed it would be the _one_ that they were all familiar with.

    >
    > I think he means the same sort of gymnastics required to use cypher
    > 'none', i.e. you have to build you own version, and know how to figure
    > out the config option to build the capability into ssh-keygen.


    No, I don't mean *that* much pain. There are legitimate uses for
    passphrase free keys. But that extra step of adding a command line
    argument would mean extra thought is required. Most especially, it
    could prevent web tools and account management tools from permitting
    passphrase free keys without adding a lot of extra pain to the design,
    and discourage such behavior even further.

    Default settings for tools require real thought.


  7. Re: private key with no passphrase detection

    On Sep 14, 3:37 pm, ddun...@taos.com (Darren Dunham) wrote:
    > Greg Copeland wrote:
    > > I want to enforce private key authentication as a matter of policy.

    >
    > You can do that with OpenSSH. What software are you using?
    >
    > > I would like to detect private keys which do not have a passphrase.
    > > How would I go about detecting this so I can get the user to recreate
    > > their key?

    >
    > Do you have access to the client keys? The SSH server never sees the
    > key file, (nor the key itself), so it cannot detect or enforce any
    > restrictions on the user's key.
    >
    > You could examine the keys directly with a key tool (like ssh-keygen) to
    > see if a passphrase is present. Again, that would depend on the exact
    > software in use.


    Yes, I'm using OpenSSH and have access to most of the private keys.
    I'll check out ssh-keygen to see how I can use that to detect
    passphrase use on their private keys.

    Thanks.


  8. Re: private key with no passphrase detection

    On Sep 15, 6:43 am, all mail refused
    wrote:

    > You need to get out and meet more users.


    I know all the users by name. Knowing someone doesn't mean they
    comply because they often believe they are smarter than everyone
    else. In my environment, these users are also the ones creating the
    highest level of risk to security, by far. Locking down these keys is
    the only way to mitigate some of that risk.

    So I will suggest in turn you might want to get out and learn about
    many different types of environments where everyone is sure they know
    more than you, whereby, they believe they are exempt from policy.





  9. Re: private key with no passphrase detection

    Greg Copeland writes:

    >On Sep 15, 6:43 am, all mail refused
    >wrote:


    >> You need to get out and meet more users.


    >I know all the users by name. Knowing someone doesn't mean they
    >comply because they often believe they are smarter than everyone
    >else. In my environment, these users are also the ones creating the
    >highest level of risk to security, by far. Locking down these keys is
    >the only way to mitigate some of that risk.


    Exactly which risk is that you will lock down that way?
    I think you need to do a realistic risk assessment, not a seat of the pants
    "this is easy for me to think about, therefor it is the risk I will
    concentrate on."




    >So I will suggest in turn you might want to get out and learn about
    >many different types of environments where everyone is sure they know
    >more than you, whereby, they believe they are exempt from policy.


    If you do not explain the policy and the reason for the policy clearly and
    how this particular restriction on their actions actually helps anything,
    then it is you that is the problem, not them.






  10. Re: private key with no passphrase detection

    On 2007-09-19, Greg Copeland wrote:
    > On Sep 15, 6:43 am, all mail refused
    > wrote:
    >
    >> You need to get out and meet more users.

    >
    > I know all the users by name. Knowing someone doesn't mean they
    > comply because they often believe they are smarter than everyone
    > else. In my environment, these users are also the ones creating the
    > highest level of risk to security, by far. Locking down these keys is
    > the only way to mitigate some of that risk.


    I think you have misunderstood my remark.

    I am saying _exactly_ that users do things against policy - which is why
    trifling steps like a command-line argument to allow no passphrase
    (present in F-Secure as I remember) will do no good. They will learn
    to use that argument if it's the one thing they learn all year. These
    are the same kind of people who (in another company) I found sharing the
    hint that if you change everything to mode 0777 it will work.

    Often the right thing to do is not give them a choice. To pick a desktop
    example: why waste the whole 30s per person per year of security attention
    on training them to choose AES over the other cipher in WinZip when you
    could get them a version that encrypts only in AES?


    > So I will suggest in turn you might want to get out and learn about
    > many different types of environments where everyone is sure they know
    > more than you, whereby, they believe they are exempt from policy.


    I know that kind of environment very well and have heard all the excuses.

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/

+ Reply to Thread