question about pubkey and passphrase

Damien Miller djm at
Tue Feb 11 09:59:05 AEDT 2020

On Mon, 10 Feb 2020, Harald Dunkel wrote:

> Hi folks,
> Since Docker can bind-mount every .ssh directory I am looking for
> some way to forbid unprotected private keys.
> AFAICS it is currently not possible on the sshd to verify that
> the peer's private key was protected by a passphrase. Can you
> confirm?

That's not possible - the client could simply lie about whether the
key was password-protected and the server has no way to determine the

However, the new U2F/FIDO key types about to be released in openssh-8.2
do offer some features that might solve your problem. These include
optionally writing an "attestation certificate" that can be used to
prove that a key was unexportably stored in hardware, and signature-
time flags that indicate whether a user explicitly authorised the
signature (by touching the security token).

In the future, it will be possible to PIN-protect FIDO keys and have
this fact attested to in the signature too. I.e. a sshd will be able
to check and optionally refuse authentication by keys that are were not
unlocked by a PIN. I hope to get to this not long after openssh-8.2 is


More information about the openssh-unix-dev mailing list