Friday, August 9, 2019

Is there a way to check a users SSH key to see if the passphrase is blank 2019

Below I have posted the script I wrote from the answer @tylerl gave me. I'm posting this in case someone else needs this info in the future. There is most likely better ways to do this, but this works. I still need to write additional scripts for the accounts that are not automounted. Thanks, everyone for all the help

#!/bin/bash
# This script is for checking for a blank passphrase. Meaning no passphrase to secure your SSH key.
# Script must be run as root.
# Example: sudo ./check-sshkeys

mount share:/vol/home /mnt
ls /mnt >/tmp/ls
for s in `cat /tmp/ls`
do echo -e "\e[1m User $s \033[0m "

if ls /mnt/$s/.ssh/id_rsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_rsa || echo -e "No RSA
passphrase"
        else echo "RSA key not found"
fi
if ls /mnt/$s/.ssh/id_dsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_dsa || echo -e "No DSA
passphrase"
        else echo "DSA key not found"
fi
done
rm /tmp/ls
umount /mnt


==AND==
if [ -d /home/$username/.ssh ] 
then
echo “.ssh -d present”
else
echo “creating .ssh -d!”
mkdir /home/$username/.ssh
chmod 700 /home/$username/.ssh
chown $username:$username /home/$username/.ssh
fi
mv (Default sudo goes to root)/.ssh/id_rsa.pub (Default name)/home/$username/.ssh/id_rsa.pub
chmod 600 (Correct the first permission) /home/$username/.ssh/id_rsa.pub
chmod -R u+rws (Recursive permission change) /var/ftproot/$sftpuser/files
chown $username:$username /home/$username/.ssh/id_rsa.pub
echo "Files are placed."

==AND==
if res="$(setsid </dev/null 2>&1 env -i ssh-keygen -y -f "$keyfile")" ; then
    echo "Unencrypted private key!"
else
    echo "Encrypted, or unreadable, or not a private key,"
    echo "or doesn't have correct permissions for a private key,"
    echo "or SSH doesn't like it for some reason."
    echo "More info that may or may not be helpful:"
    printf "%s\n" "$res"
fi

If it says "Unencrypted private key!", you've definitely found one. If it doesn't, you can at least bet that if is an unencrypted key, SSH won't use it as it is.

(N.B. if you happen to find that /etc/ssh/ssh_host_rsa_key or the like is unencrypted, leave it alone -- it's supposed to be that way!)


at No comments:
Subscribe to: Posts (Atom)

Is there a way to check a users SSH key to see if the passphrase is blank 2019

Below I have posted the script I wrote from the answer @tylerl gave me. I'm posting this in case someone else needs this info in the fu...