What the script does.
The script mounts the share that all the users home directories auto-mount from. This way the user needs not to be logged in for me to check there keys. I then copy all the names of the users home directories into a file. The script checks then checks for the word ENCRYPTED in the id_rsa file. If the word ENCRYPTED is in the file then the passphrase is set. The temp files are then removed and the share unmounted.
This my script I came up with.
#!/bin/bash
# This script is for checking for a blank passphrase. Meaning no passphrase
to secure your SSH file.
# Script most be run as root.
# Example: sudo ./check-sshkeys
mount share:/vol/home /mnt
ls /mnt >/tmp/ls
for s in `cat /tmp/ls`
do echo -e "\e[1m User $s \033[0m "
if ls /mnt/$s/.ssh/id_rsa 2>/dev/null
then grep ENCRYPTED /mnt/$s/.ssh/id_rsa || echo -e "No RSA
passphrase"
else echo "RSA key not found"
fi
if ls /mnt/$s/.ssh/id_dsa 2>/dev/null
then grep ENCRYPTED /mnt/$s/.ssh/id_dsa || echo -e "No DSA
passphrase"
else echo "DSA key not found"
fi
done
rm /tmp/ls
umount /mnt
# This script is for checking for a blank passphrase. Meaning no passphrase
to secure your SSH file.
# Script most be run as root.
# Example: sudo ./check-sshkeys
mount share:/vol/home /mnt
ls /mnt >/tmp/ls
for s in `cat /tmp/ls`
do echo -e "\e[1m User $s \033[0m "
if ls /mnt/$s/.ssh/id_rsa 2>/dev/null
then grep ENCRYPTED /mnt/$s/.ssh/id_rsa || echo -e "No RSA
passphrase"
else echo "RSA key not found"
fi
if ls /mnt/$s/.ssh/id_dsa 2>/dev/null
then grep ENCRYPTED /mnt/$s/.ssh/id_dsa || echo -e "No DSA
passphrase"
else echo "DSA key not found"
fi
done
rm /tmp/ls
umount /mnt
Draw backs
Now there are ways that a user can get around this, like putting the word ENCRYPTED in the right file. But most users will not do this, so this should still work for most users. The script above will need to be modified in order to check users who don't have their home directories auto-mounted.
I can't take all the credit for this, I had some help. Below I have posted the link to the forum were I asked for help on this script.
Ref:
Is there a way to check a users SSH key to see if the passphrase is blank
No comments:
Post a Comment