Utility to scan for unpassworded SSH privkeys?
Damien Miller
djm at mindrot.org
Fri May 24 13:27:27 EST 2013
On Fri, 24 May 2013, Darren Tucker wrote:
> On Thu, May 23, 2013 at 05:19:52PM -0700, Dan Mahoney, System Admin wrote:
> > Thus, what I'd like to do is (in the spirit of crack's "nastygram"
> > script), trawl through user .ssh directories and warn users with
> > insecure keys (or warn root).
>
> The key files are PEM format PKCS#8 and you can use openssl to test
> whether or not the private keys need a passphrase:
>
> $ openssl rsa -in id_rsa_nopass -passin pass: -noout 2>/dev/null ; echo $?
> 0
>
> $ openssl rsa -in id_rsa_pass -passin pass: -noout 2>/dev/null ; echo $?
> 1
more hacky but faster: grep for ^DEK-Info in the private keys files
-d
More information about the openssh-unix-dev
mailing list