Is there an sshd config command to block keys that have blank or empty passphrases in them?
I'd like to limit ssh access to people with passwords without having passwords stored on servers.
SnapOverflow
Is there an sshd config command to block keys that have blank or empty passphrases in them?
I'd like to limit ssh access to people with passwords without having passwords stored on servers.
I don't think so, as the keyphrase is used on the client side to unlock the key. I don't think the server gets any knowledge of if a phrase is on the key. Also, user's can unlock their keys into their ssh-agent keychains.
You'd do better to use the public key as a second factor while still needing a password. This allows you to implement a decent strength minimum password policy.
No, this isn't possible. The server has no way to know whether the user entered a passphrase to use his key or not and he also does not need that information. The only thing the server sees is "please let me in, signed somekey" and compares this to the known public key. You could disable pubkey login, but then you would have to store (encrypted) passwords on the server which you do not want.