You cannot. The reason for this is simple : you can copy as many times
as you wish it your private key in any place. Even if you were able to
check-up that a private key is passphrase-protected, it wouldn't mean
every single copy of that key is protected so. And the interest of the
private key is that only the owners possesses it and hides it; thus you
shouldn't think about a mensual submission of the keyfile to
automatically check it is protected, because it would open a serious
I see the problem you face because some time ago, I used
passphrase-protected keys on my usb stick and ones stored on windows,
but I assumed my linux system was secure enough not to need any more
password once logged in. Opinon I revised with time
If you generates the keypair for these users, you can protect them with
a complex password, so that lazy users may keep it and learn it (or
write it down...). Fortunately (from my point of view), you do not have
any single point of control on your users' private keyfile. Keeping
their credentials safe is of their responsibilities. Your security
officer probably knows that 80-90% of the security is about educating
people. To sensibilise them is you most efficient measure of control.
Any way I might think about checking the protection of a private key
seems to be a violation of privacy to me, regardless of the technology.
The one step you may act is when generating the key pair. What if you
generate it and transfer it to the user in a secure way, after they
filled a form with the password setting for the key ? This way, as they
chosed the password, they'd remember it and don't need to change it or
remove it, unless they really want to. Against that last case, there's
nothing you can do.
Alan McKinnon a écrit :
I think I'm barking up an impossible tree, but it's worth asking.
I have an sshd-enabled jump box catering for 100+ users. They all use ssh keys
and we ask them all nicely to passphrase-protect the private key and pretend
that we enforce this. Keys are in use because the admin load of coping with
passwords isn't worth the effort. Fortunately, I have a security officer who
is properly clued up and very willing to listen to reason.
Is there any known way, no matter how convulted and bizarre, of checking and
enforcing from the server end that a private key is passphrase protected? Our
own research indicates no. One possible way is to audit the user's client
machine, but we don't have that level of access (and don't want it either)