On Mon, 10 Feb 2020, Harald Dunkel wrote: > Hi folks, > > Since Docker can bind-mount every .ssh directory I am looking for > some way to forbid unprotected private keys. > > AFAICS it is currently not possible on the sshd to verify that > the peer's private key was protected by a passphrase. Can you > confirm? That's not possible - the client could simply lie about whether the key was password-protected and the server has no way to determine the truth. However, the new U2F/FIDO key types about to be released in openssh-8.2 do offer some features that might solve your problem. These include optionally writing an "attestation certificate" that can be used to prove that a key was unexportably stored in hardware, and signature- time flags that indicate whether a user explicitly authorised the signature (by touching the security token). In the future, it will be possible to PIN-protect FIDO keys and have this fact attested to in the signature too. I.e. a sshd will be able to check and optionally refuse authentication by keys that are were not unlocked by a PIN. I hope to get to this not long after openssh-8.2 is done. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
