Utility to scan for unpassworded SSH privkeys?

Nico Kadel-Garcia nkadel at gmail.com
Fri May 24 22:43:24 EST 2013


On Thu, May 23, 2013 at 8:23 PM, Jamie Beverly <jamie.beverly at yahoo.com> wrote:
> I like to retain some semblance of optimism for humanity, and so I'm just going to hope that this assertion is false. I have to hope that there is at least a large minority of people who correctly use ssh-agent for the suppression of password prompting, and protect their private keys with passwords.

This is not a new flaw. It dates right back to the original SSH-1 and
SSH-2, which were forked to create OpenSSH. It's also why the highly
vaunted security of OpenBSD is fairly pointless, when such gaping
configuration holes are the *default* configuration. ssh-keygen
creates passphrase frees by default if you simply hit "Enter" a few
times, and there is no way I've ever seen for ssh_config to reject
them by default when loading local keys or loading them into an
ssh-agent.

My repeated surveys of environments with NFS home directories show
that at least 10% often far more, of SSH keys are not protected. And
the people who are worst about their passphrase keys tend to be admins
who "know better" and who follow the common security model of "if you
don't trust the machine you're on, you shouldn't be working on it",
and therefore refuse to follow even the most basic security practices.

It's a big reason that I encourage migration to Kerberos based
authentication wherever possible, but that doesn't work well for
Subversion or git authentication.


More information about the openssh-unix-dev mailing list