Monday, March 24, 2014

Check for a blank SSH key passphrase

I found out one of my co-workers was not using a passphrase to secure his SSH keys. This is very insecure way to do business. Many people leave passphrase blank because they do not know how to setup a SSH agent, or can't be bothered with setting up the SSH agent. If you don't know to set up a SSH agent refer to my How to setup SSH Keys post. I came up with a way to check all the accounts on the servers I manage. I wanted to know how many other people where not practicing good security. I have tested this script on Solaris 10, Red Hat Linux (RHEL 5) and SuSe (SLES 11.2).

What the script does.
The script mounts the share that all the users home directories auto-mount from.  This way the user needs not to be logged in for me to check there keys. I then copy all the names of the users home directories into a file. The script checks then checks for the word  ENCRYPTED in the id_rsa file. If the word ENCRYPTED is in the file then the passphrase is set. The temp files are then removed and the share unmounted.

This my script I came up with.
# This script is for checking for a blank passphrase. Meaning no passphrase
to secure your SSH file.
# Script most be run as root.
# Example: sudo ./check-sshkeys

mount share:/vol/home /mnt
ls /mnt >/tmp/ls
for s in `cat /tmp/ls`
do echo -e "\e[1m User $s \033[0m "
if ls /mnt/$s/.ssh/id_rsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_rsa || echo -e "No RSA
        else echo "RSA key not found"
if ls /mnt/$s/.ssh/id_dsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_dsa || echo -e "No DSA
        else echo "DSA key not found"
rm /tmp/ls
umount /mnt

Draw backs
Now there are ways that a user can get around this, like putting the word ENCRYPTED in the right file. But most users will not do this, so this should still work for most users. The script above will need to be modified in order to check users who don't have their home directories auto-mounted.

I can't take all the credit for this, I had some help. Below I have posted the link to the forum were I  asked for help on this script.

Is there a way to check a users SSH key to see if the passphrase is blank