question about pubkey and passphrase
Damien Miller
djm at mindrot.org
Tue Feb 11 09:59:05 AEDT 2020
On Mon, 10 Feb 2020, Harald Dunkel wrote:
> Hi folks,
>
> Since Docker can bind-mount every .ssh directory I am looking for
> some way to forbid unprotected private keys.
>
> AFAICS it is currently not possible on the sshd to verify that
> the peer's private key was protected by a passphrase. Can you
> confirm?
That's not possible - the client could simply lie about whether the
key was password-protected and the server has no way to determine the
truth.
However, the new U2F/FIDO key types about to be released in openssh-8.2
do offer some features that might solve your problem. These include
optionally writing an "attestation certificate" that can be used to
prove that a key was unexportably stored in hardware, and signature-
time flags that indicate whether a user explicitly authorised the
signature (by touching the security token).
In the future, it will be possible to PIN-protect FIDO keys and have
this fact attested to in the signature too. I.e. a sshd will be able
to check and optionally refuse authentication by keys that are were not
unlocked by a PIN. I hope to get to this not long after openssh-8.2 is
done.
-d
More information about the openssh-unix-dev
mailing list