This is probably a noob question, but how can I determine if the public SSH key someone gives me has a passphrase or not?
We have a situation where I am not generating the SSH keys for users, but I want to make sure every SSH key I put on a server has a passphrase, but I get the feeling the passphrase is only part of the private key.
Thanks!
This is not something you can determine from the public half of the key. Even if you could determine it, what's to stop the user from subsequently removing it?
When you remove the passphrase from the private side of the key, the public side doesn't change.
You can not tell if a private key has a pass phrase or not.
I think the passphrase is synchronous encryption of the private key so would not affect the public key. Technically it doesn't affect either key, as it is simply encrypting the data of the private key.
If you have a policy regarding requiring passphrases, you might also want to establish a policy regarding ssh-agent and agent forwarding since this stores the socket used to access the ssh-agent process in /tmp without much security outside of unix file permissions to protect it.