Utility to scan for unpassworded SSH privkeys?

[John Hawkinson]

I kind of think the desirable thing would have been for the client to
determine whether there is a server command= restriction in place, and
if there is not, to warn or require the user to take special
action. But this would presumably require a protocol change. Not to
mention a transition path that might be difficult.

(This assumes we could agree that the only "proper" use of
un-passphrased keys is when they are restricted by a server-side
command= restriction.)


I do agree we need a way (command-line flag, please, well-documented)
to generate passphraseless public keys. I use them, e.g. for server
backups, but always with a command= restriction.

I would not be averse to a paragraph-long message explaining the
issues (e.g. summarizing this thread) so users so-inclined could
actually understand the decision made. But I realie that might be
unpopular.

--jhawk at mit.edu
  John Hawkinson