On Wednesday 17 September 2008 13:16:57 Jil Larner wrote: > Hello, > > You cannot. The reason for this is simple : you can copy as many times > as you wish it your private key in any place. Even if you were able to > check-up that a private key is passphrase-protected, it wouldn't mean > every single copy of that key is protected so. And the interest of the > private key is that only the owners possesses it and hides it; thus you > shouldn't think about a mensual submission of the keyfile to > automatically check it is protected, because it would open a serious > security hole.
Agreed. The hole I would like to close (or make smaller) is that the key is the main security between the user's desktop machine and the core routers on my network. We originally switched to ssh keys because users will gladly share passwords with each other without regard for consequences, and the administration of this is a nightmare. Keys make for better security, but I would like it to be even better. I also want to have my facts 100% straight - if I tell my boss "it can't be done" I like to show research to back it up. There's nothing worse than saying something can't be done, and someone else in the room immediately says how it can be done ... :-) -- alan dot mckinnon at gmail dot com
