mandatory passphrase on id_dsa missing in sshd

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

mandatory passphrase on id_dsa missing in sshd

Bas Meijer
Hi,


I would like to enforce the use of passphrases on private keys on the  
server, this doesn't seem to be possible.

When I upload pub-key to ~/.ssh/authorized_keys I can change and  
delete the passphrase later with ssh-keygen -p.

I would like an option in sshd_config like MandatoryPassPhrase=yes or  
so.

This option would have the server enforce that the key has a pass  
phrase.
(It would need the client I fear).

A Java implementation would be like:

// Get the private key file
String filename = System.getProperties().getProperty("user.home") +  
"/.ssh/id_dsa";
debug.message("ssh key-file: " + filename);
// Open up the private key file
SshPrivateKeyFile file = SshPrivateKeyFile.parse(new File(filename));
// If the private key is passphrase protected then ask for the  
passphrase
String passphrase = null;
if (file.isPassphraseProtected()) {
     debug.message("ssh key: has passphrase ");
     passphrase = key;
}else{
     debug.message("ssh key: NO passphrase!");
}

Reply | Threaded
Open this post in threaded view
|

Re: mandatory passphrase on id_dsa missing in sshd

Damien Miller
On Wed, 6 Sep 2006, Bas Meijer wrote:

> Hi,
>
>
> I would like to enforce the use of passphrases on private keys on the
> server, this doesn't seem to be possible.
>
> When I upload pub-key to ~/.ssh/authorized_keys I can change and
> delete the passphrase later with ssh-keygen -p.
>
> I would like an option in sshd_config like MandatoryPassPhrase=yes or
> so.

The server can't tell - it would have to trust the client, and the
client can lie.

-d