Hi all, I think I'm barking up an impossible tree, but it's worth asking.
Scenario: I have an sshd-enabled jump box catering for 100+ users. They all use ssh keys and we ask them all nicely to passphrase-protect the private key and pretend that we enforce this. Keys are in use because the admin load of coping with passwords isn't worth the effort. Fortunately, I have a security officer who is properly clued up and very willing to listen to reason. My question: Is there any known way, no matter how convulted and bizarre, of checking and enforcing from the server end that a private key is passphrase protected? Our own research indicates no. One possible way is to audit the user's client machine, but we don't have that level of access (and don't want it either) -- alan dot mckinnon at gmail dot com
