Checking ssh keys have passphrases

I have a bunch of users, who with SSH keys have access to accounts on other servers. Currently I have a script which collects up the ssh public keys and distributes them to the correct account on the correct servers.

What I want to do, is get that script to check that any given users ssh key has a passphrase before accepting the public key and distributing it.

I've tried a number of things, like using an ssh-agent and ssh-add and then the problem comes when ssh-add gets asked for passphrase.

Is there a way to get something like openssl to check for passphrase, fail slightly with a return code of 1 if the key has a passphrase?

Thanks!


If a keyfile uses a passphrase it has "Proc-Type:" attribute set with the word "ENCRYPTED" appended.

So, you can determine if a keyfile uses passphrase by running it through find and grep to see if it has the string 'ENCRYPTED'.

# list keyfiles that USE a passphrase
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -exec grep -q "ENCRYPTED" {} \; -print

prints a list of files that have passphrases. Then you can match those against a list of all keyfiles to single out those that doesn't use a passphrase. A list of all keyfiles can be obtained e.g. by leaving the -exec parameter out, as follows:

# list all keyfiles
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -print