Checking ssh keys have passphrases
I have a bunch of users, who with SSH keys have access to accounts on other servers. Currently I have a script which collects up the ssh public keys and distributes them to the correct account on the correct servers.
What I want to do, is get that script to check that any given users ssh key has a passphrase before accepting the public key and distributing it.
I've tried a number of things, like using an ssh-agent
and ssh-add
and then the problem comes when ssh-add
gets asked for passphrase.
Is there a way to get something like openssl
to check for passphrase, fail slightly with a return code of 1
if the key has a passphrase?
Thanks!
If a keyfile uses a passphrase it has "Proc-Type:" attribute set with the word "ENCRYPTED" appended.
So, you can determine if a keyfile uses passphrase by running it through find
and grep
to see if it has the string 'ENCRYPTED'.
# list keyfiles that USE a passphrase
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -exec grep -q "ENCRYPTED" {} \; -print
prints a list of files that have passphrases. Then you can match those against a list of all keyfiles to single out those that doesn't use a passphrase. A list of all keyfiles can be obtained e.g. by leaving the -exec
parameter out, as follows:
# list all keyfiles
HOMES=/home /mnt/nfs_home
find $HOMES -maxdepth 3 -type f -path '*/.ssh/id* -name "id_[dr]sa*" -print