mediumaccess-controlunverified
Ensure SSH/certificate private keys are protected by a passphrase
cert-private-key-passphrase · RHEL ≥ 8 · 1 impl
Description
Private keys used for authentication must be encrypted with a passphrase so a stolen key file cannot be used on its own. This checks SSH private keys in the standard locations for the unencrypted state.
Rationale
An unencrypted private key file, if exfiltrated, grants an attacker the identity it certifies with no further barrier.
Check → Remediate
Checkcommand
command -v ssh-keygen >/dev/null 2>&1 || { echo "NOT APPLICABLE: ssh-keygen unavailable"; exit 0; }
fail=0
# Candidate private-key files in the standard locations.
for k in /root/.ssh/id_* /home/*/.ssh/id_*; do
[ -f "$k" ] || continue
case "$k" in *.pub) continue ;; esac
# -P '' supplies an empty passphrase: succeeds (exit 0) ONLY if the key
# is unencrypted; an encrypted key rejects the empty passphrase (no prompt).
if ssh-keygen -y -P '' -f "$k" >/dev/null 2>&1; then
echo "FAIL: $k is an unencrypted private key"
fail=1
fi
done
if [ "$fail" -eq 0 ]; then
echo "OK: no unencrypted private keys found in standard locations"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add a passphrase to each unencrypted key: ssh-keygen -p -f <keyfile>. Note: SSH host keys (/etc/ssh/ssh_host_*_key) are intentionally passphrase-less; scope enforcement to user/authentication keys per site policy.
Framework references
STIG
V-281326 / RHEL-10-701240V-258127 / RHEL-09-611190V-230230 / RHEL-08-010100
NIST 800-53
IA-5(2)
#pki#private-key#passphrase#ssh#stig