Prevent or at least detect empty passphrases (NFS homes)

20/07/2007, 11h22

Hello,

we're using OpenSSH 3. x mostly on RHEL 3/4/5 PCs, but also
have few HP-UX and Solaris machines here. And we have about
1000 users with their home dirs on an NFS-server (NetApp).

I'm looking for a possibility to prevent our users from
creating and using SSH keys with empty passphrases.

Or at least make it not so easy for them (maybe
some shell alias or script for ssh-add or ssh-keygen?)

Also I'm looking for a shell/perl script which I could run
regularly and find which users have an SSH key with
no passphrase. Yes, as a "root" I can "su" to any user
and then try to login to another machine. If the login
succeeds, then the user's SSH key has no passphrase.
But how do I script it?

Thank you!
Alex

PS: Please do not reply with "PermitEmptyPasswords yes",
because I'm asking about passphrases, not passwords.

PPS: Yes, I do realize that nothing can be done on the sshd
side, because it is too late and the server only sees the key.

20/07/2007, 18h59

A. Farber <Alexander.Farber@gmail.com> wrote:
> I'm looking for a possibility to prevent our users from
> creating and using SSH keys with empty passphrases.

You must be able to see the key to detect this. So if it's happening on
machines you don't control, this is difficult.

> Or at least make it not so easy for them (maybe
> some shell alias or script for ssh-add or ssh-keygen?)

> Also I'm looking for a shell/perl script which I could run
> regularly and find which users have an SSH key with
> no passphrase. Yes, as a "root" I can "su" to any user
> and then try to login to another machine. If the login
> succeeds, then the user's SSH key has no passphrase.
> But how do I script it?

You don't need to log in. You can use ssh-keygen to read the private
key and print the public key (-y). If it doesn't prompt for the old
passphrase, then the current one is null.

Unfortunately, ssh-keygen doesn't take a BatchMode option, so I don't
know how to prevent it from being interactive when the key is present
(other than with something external like expect).

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

08/08/2007, 15h14

Here is my solution for the archives:

#!/bin/sh

# The script for finding unprotected SSH keys by A. Farber

HOMES=/mnt/netapp01/user_dirs/home

# these 2 vars and ssh-add </dev/null to get rid of the
passphrase prompt
export DISPLAY=dummy
export SSH_ASKPASS=/bin/false

eval `ssh-agent -s -t 10` || exit

# find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
-name 'id_[dr]sa' -o -name identity | \
while read ssh_key_file; do
if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null
2>&1; then
echo "$ssh_key_file - EMPTY PASSPHRASE"
else
echo "$ssh_key_file - OK"
fi
done

eval `ssh-agent -k`

08/08/2007, 15h14

Here is my solution for the archives:

#!/bin/sh

# The script for finding unprotected SSH keys by A. Farber

HOMES=/mnt/netapp01/user_dirs/home

# these 2 vars and ssh-add </dev/null to get rid of the
passphrase prompt
export DISPLAY=dummy
export SSH_ASKPASS=/bin/false

eval `ssh-agent -s -t 10` || exit

# find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
-name 'id_[dr]sa' -o -name identity | \
while read ssh_key_file; do
if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null
2>&1; then
echo "$ssh_key_file - EMPTY PASSPHRASE"
else
echo "$ssh_key_file - OK"
fi
done

eval `ssh-agent -k`

08/08/2007, 21h02

On 2007-08-08, A. Farber <Alexander.Farber@gmail.com> wrote:

Doing find under home directories looks wasteful. You can get a list
of home directories from getpwent() and look for each of the
..ssh/id_dsa, .ssh/id_rsa or .ssh/identity in those only.

If you're using home directories on NFS you've got all the insecurity
that some with that.

I'd read each file as the user in question, not as root.

And what do you do with the user who links .ssh/identity to /dev/random ?

> Here is my solution for the archives:
>
> #!/bin/sh
>
> # The script for finding unprotected SSH keys by A. Farber
>
> HOMES=/mnt/netapp01/user_dirs/home
>
> # these 2 vars and ssh-add </dev/null to get rid of the passphrase prompt
> export DISPLAY=dummy
> export SSH_ASKPASS=/bin/false
>
> eval `ssh-agent -s -t 10` || exit
>
> # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
> find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
> -name 'id_[dr]sa' -o -name identity | \
> while read ssh_key_file; do
> if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null
> 2>&1; then
> echo "$ssh_key_file - EMPTY PASSPHRASE"
> else
> echo "$ssh_key_file - OK"
> fi
> done
>
> eval `ssh-agent -k`
>

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/

10/08/2007, 07h03

In article <1186582492.074266.270070@q75g2000hsh.googlegroups .com>,
Alexander.Farber@gmail.com says...
> Here is my solution for the archives:
>
>
> #!/bin/sh
>
> # The script for finding unprotected SSH keys by A. Farber
>
> HOMES=/mnt/netapp01/user_dirs/home
>
> # these 2 vars and ssh-add </dev/null to get rid of the
> passphrase prompt
> export DISPLAY=dummy
> export SSH_ASKPASS=/bin/false
>
> eval `ssh-agent -s -t 10` || exit
>
> # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity
> find $HOMES -maxdepth 3 -path '*/.ssh/id*' \
> -name 'id_[dr]sa' -o -name identity | \
> while read ssh_key_file; do
> if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null
> 2>&1; then
> echo "$ssh_key_file - EMPTY PASSPHRASE"
> else
> echo "$ssh_key_file - OK"
> fi
> done
>
> eval `ssh-agent -k`

Hi, good solution

I've another one, which may :

Looking at a private key, with no passphrase :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtK74+E3ujD0OqI509n/2gNlStSmilGTqFhIzUDytXs/P38DC

Looking at a private key, with a passphrase :

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,14F4FBFD11BC6F56

km15JyS7W4x1dwj2pxObTqgTunl7mJaogUuU2lJ7KJdVQtGSYe +1Yrgmr3wOgcSm

Why don't you search with a "find" all the keys that do NOT contain the
"ENCRYPTED" line ?

something like (add more options if you like, but, I've just woken up

) :
find all => find /path/you/want/ -type f -name "id*" -print
find encrypted => find /path/you/want/ -type f -name "id*" -exec grep
"ENCRYPTED" {} \; -print

then you have 2 lists : all and encrypted private keys.
If you want the NOT encrypted ones, just a (sort + diff) should make it

I think it would be less consumming in CPU usage, and a little more for
disk than the previous solution.

Just my 2 cents.
Rgds

20/07/2007, 11h22	#1
A. Farber Messages: n/a Hébergeur:	Prevent or at least detect empty passphrases (NFS homes) Hello, we're using OpenSSH 3. x mostly on RHEL 3/4/5 PCs, but also have few HP-UX and Solaris machines here. And we have about 1000 users with their home dirs on an NFS-server (NetApp). I'm looking for a possibility to prevent our users from creating and using SSH keys with empty passphrases. Or at least make it not so easy for them (maybe some shell alias or script for ssh-add or ssh-keygen?) Also I'm looking for a shell/perl script which I could run regularly and find which users have an SSH key with no passphrase. Yes, as a "root" I can "su" to any user and then try to login to another machine. If the login succeeds, then the user's SSH key has no passphrase. But how do I script it? Thank you! Alex PS: Please do not reply with "PermitEmptyPasswords yes", because I'm asking about passphrases, not passwords. PPS: Yes, I do realize that nothing can be done on the sshd side, because it is too late and the server only sees the key.

20/07/2007, 18h59	#2
Darren Dunham Messages: n/a Hébergeur:	Re: Prevent or at least detect empty passphrases (NFS homes) A. Farber <Alexander.Farber@gmail.com> wrote: > I'm looking for a possibility to prevent our users from > creating and using SSH keys with empty passphrases. You must be able to see the key to detect this. So if it's happening on machines you don't control, this is difficult. > Or at least make it not so easy for them (maybe > some shell alias or script for ssh-add or ssh-keygen?) > Also I'm looking for a shell/perl script which I could run > regularly and find which users have an SSH key with > no passphrase. Yes, as a "root" I can "su" to any user > and then try to login to another machine. If the login > succeeds, then the user's SSH key has no passphrase. > But how do I script it? You don't need to log in. You can use ssh-keygen to read the private key and print the public key (-y). If it doesn't prompt for the old passphrase, then the current one is null. Unfortunately, ssh-keygen doesn't take a BatchMode option, so I don't know how to prevent it from being interactive when the key is present (other than with something external like expect). -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

08/08/2007, 15h14	#3
A. Farber Messages: n/a Hébergeur:	Re: Prevent or at least detect empty passphrases (NFS homes) Here is my solution for the archives: #!/bin/sh # The script for finding unprotected SSH keys by A. Farber HOMES=/mnt/netapp01/user_dirs/home # these 2 vars and ssh-add </dev/null to get rid of the passphrase prompt export DISPLAY=dummy export SSH_ASKPASS=/bin/false eval `ssh-agent -s -t 10` \|\| exit # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity find $HOMES -maxdepth 3 -path '/.ssh/id' \ -name 'id_[dr]sa' -o -name identity \| \ while read ssh_key_file; do if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null 2>&1; then echo "$ssh_key_file - EMPTY PASSPHRASE" else echo "$ssh_key_file - OK" fi done eval `ssh-agent -k`

08/08/2007, 15h14	#4
A. Farber Messages: n/a Hébergeur:	Re: Prevent or at least detect empty passphrases (NFS homes) Here is my solution for the archives: #!/bin/sh # The script for finding unprotected SSH keys by A. Farber HOMES=/mnt/netapp01/user_dirs/home # these 2 vars and ssh-add </dev/null to get rid of the passphrase prompt export DISPLAY=dummy export SSH_ASKPASS=/bin/false eval `ssh-agent -s -t 10` \|\| exit # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity find $HOMES -maxdepth 3 -path '/.ssh/id' \ -name 'id_[dr]sa' -o -name identity \| \ while read ssh_key_file; do if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null 2>&1; then echo "$ssh_key_file - EMPTY PASSPHRASE" else echo "$ssh_key_file - OK" fi done eval `ssh-agent -k`

08/08/2007, 21h02	#5
all mail refused Messages: n/a Hébergeur:	Re: Prevent or at least detect empty passphrases (NFS homes) On 2007-08-08, A. Farber <Alexander.Farber@gmail.com> wrote: Doing find under home directories looks wasteful. You can get a list of home directories from getpwent() and look for each of the ..ssh/id_dsa, .ssh/id_rsa or .ssh/identity in those only. If you're using home directories on NFS you've got all the insecurity that some with that. I'd read each file as the user in question, not as root. And what do you do with the user who links .ssh/identity to /dev/random ? > Here is my solution for the archives: > > #!/bin/sh > > # The script for finding unprotected SSH keys by A. Farber > > HOMES=/mnt/netapp01/user_dirs/home > > # these 2 vars and ssh-add </dev/null to get rid of the passphrase prompt > export DISPLAY=dummy > export SSH_ASKPASS=/bin/false > > eval `ssh-agent -s -t 10` \|\| exit > > # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity > find $HOMES -maxdepth 3 -path '/.ssh/id' \ > -name 'id_[dr]sa' -o -name identity \| \ > while read ssh_key_file; do > if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null > 2>&1; then > echo "$ssh_key_file - EMPTY PASSPHRASE" > else > echo "$ssh_key_file - OK" > fi > done > > eval `ssh-agent -k` > -- Elvis Notargiacomo master AT barefaced DOT cheek http://www.notatla.org.uk/goen/

10/08/2007, 07h03	#6
Miss Terre Messages: n/a Hébergeur:	Re: Prevent or at least detect empty passphrases (NFS homes) In article <1186582492.074266.270070@q75g2000hsh.googlegroups .com>, Alexander.Farber@gmail.com says... > Here is my solution for the archives: > > > #!/bin/sh > > # The script for finding unprotected SSH keys by A. Farber > > HOMES=/mnt/netapp01/user_dirs/home > > # these 2 vars and ssh-add </dev/null to get rid of the > passphrase prompt > export DISPLAY=dummy > export SSH_ASKPASS=/bin/false > > eval `ssh-agent -s -t 10` \|\| exit > > # find files called .ssh/id_dsa, .ssh/id_rsa or .ssh/identity > find $HOMES -maxdepth 3 -path '/.ssh/id' \ > -name 'id_[dr]sa' -o -name identity \| \ > while read ssh_key_file; do > if ssh-add -t 10 $ssh_key_file </dev/null >/dev/null > 2>&1; then > echo "$ssh_key_file - EMPTY PASSPHRASE" > else > echo "$ssh_key_file - OK" > fi > done > > eval `ssh-agent -k` Hi, good solution I've another one, which may : Looking at a private key, with no passphrase : -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAtK74+E3ujD0OqI509n/2gNlStSmilGTqFhIzUDytXs/P38DC Looking at a private key, with a passphrase : -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,14F4FBFD11BC6F56 km15JyS7W4x1dwj2pxObTqgTunl7mJaogUuU2lJ7KJdVQtGSYe +1Yrgmr3wOgcSm Why don't you search with a "find" all the keys that do NOT contain the "ENCRYPTED" line ? something like (add more options if you like, but, I've just woken up ) : find all => find /path/you/want/ -type f -name "id" -print find encrypted => find /path/you/want/ -type f -name "id" -exec grep "ENCRYPTED" {} \; -print then you have 2 lists : all and encrypted private keys. If you want the NOT encrypted ones, just a (sort + diff) should make it I think it would be less consumming in CPU usage, and a little more for disk than the previous solution. Just my 2 cents. Rgds

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email