On 02/10/2020 03:10 PM, Harald Dunkel wrote: > Since Docker can bind-mount every .ssh directory I am looking for > some way to forbid unprotected private keys. ... why aren't you worried about Docker on the *servers* stealing the (necessarily passphrase-less) *host* privkeys if it can really grab whatever it likes? Or *TONS* of data it shouldn't have access to, if the server runs anything perpendicular to that one Docker container's purpose ... > AFAICS it is currently not possible on the sshd to verify that > the peer's private key was protected by a passphrase. Can you > confirm? In the general case, the client connecting may have the privkey in the standard location, elsewhere (-i option), pre-loaded into ssh-agent, stored in a file with a *different* format (e.g., PuTTY instead of OpenSSH), etcetera. In particular in the case of ssh-agent, the software doing the authentication (ssh-agent, ssh, and sshd) has no information about the *file* the privkey originally came from (as that was handled by ssh-add), much less whether that one was protected at that time, or still is now. *If* you have enough control over the clients to run a file scan on *them* and have the result reported back to you every now and then, you could try to permanently invalidate "offending" privkeys by distributing a collection of the corresponding pubkeys to your servers and pointing sshd at it with the RevokedKeys config. (Note, however, that offhand, I cannot find a command that allows you to derive a pubkey from a privkey, or confirm that a given pubkey corresponds to some (even nonencrypted) privkey. Think "evil user makes a dozen copies of some newly created, unencrypted privkey, adds the sysadmins' pubkeys in files with corresponding filenames, and waits for your next scan".) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
