Do you test your users ssh-keys for empty passphrases?

Using ssh-keys for access to servers can be very nice as one can use ssh-agent to temporarily store the unencrypted key - and thus work all day - without continuously entering your password for the key - and you can easily decide (using authorized_keys file on the server) which keys gets to login as which users - and what commands they may execute.

But - it's my experience that many (developers f.ex.) find a need to have an empty passphrase for their key - a bad thing to do - if you want a bit of security :)

So I wrote a program for a customer of mine, to test all users ssh-keys on a server (f.ex. a central login/gateway server) - for empty passphrases. I misuse ssh-add - and the hardest thing was to make it "shut up" when the passphrase is not empty :)

I currently just look in folders in /home - I could have used getent passwd f.ex. - but feel free to suggest improvements.

Here's the script: - work sponsored by Berlingske Media

I hope it can be of use

5 comments on Do you test your users ssh-keys for empty passphrases?

  1. Anonymous
    Fri, 01/17/2014 - 00:31
    Can you update the broken links for example files? Thanks
  2. klavs
    Fri, 02/28/2014 - 20:54

    sorry for missing your comment..

  • Anonymous
    Thu, 09/23/2010 - 11:27
    I thought about doing this check a while ago, but never got to it. Your script did the trick, and found a few offenders :) The problem is just that most users keep their private keys where they can't be checked.
  • Anonymous
    Thu, 09/23/2010 - 10:29
    Remind me again, why do you have access to the private part of other people's ssh-keys? I'm biased but I think that you average system administrator is just as likely to have a passphrase free ssh-key lying around. And even worse it gives access for the root account on some production server - "But I need to run this script remote from cron on my workstation"
  • klavs
    Thu, 10/07/2010 - 16:45

    In this case it's for use on a company "jump host" - where people have an account with a SSH key created by the company - to control their access to the hosts they can jump to (I'd prefer they switch to ldap+kerberos - but.. :) So the root account on the jump host - has access to the ssh key. If you don't have this scenario - the script is probably not of much use to you :)