I would like to automatically deduce in a script if an ssh key is encrypted or not. Basically in a very particular application I want to be the BOFH and enforce that users place a passphrase on their id_rsa key. If they don't put a passphrase I want to send them back to ssh-keygen until they do. I have not been able to deduce a way to detect this yet. Any hints? Thanks Bob
Bob Proulx wrote:> > I would like to automatically deduce in a script if an ssh key is > encrypted or not. Basically in a very particular application I want > to be the BOFH and enforce that users place a passphrase on their > id_rsa key. If they don't put a passphrase I want to send them back > to ssh-keygen until they do. I have not been able to deduce a way to > detect this yet. Any hints?You can try having openssl load it with a null password: Passwordless key: $ openssl rsa -in /tmp/key -passin pass: -noout read RSA key $ echo $? 0 Key with a password: $ openssl rsa -in id_rsa -passin pass: -noout read RSA key unable to load key $ echo $? 1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Fri, 2003-11-21 at 18:25, Bob Proulx wrote:> I would like to automatically deduce in a script if an ssh key is > encrypted or not. Basically in a very particular application I want > to be the BOFH and enforce that users place a passphrase on their > id_rsa key. If they don't put a passphrase I want to send them back > to ssh-keygen until they do. I have not been able to deduce a way to > detect this yet. Any hints?For protocol v2 keys: if openssl rsa -noout -passin pass:none -in /path/to/key ; then echo user is a dork fi -d