← Rules Catalog
mediumaccess-controlunverified

Ensure SSH/certificate private keys are protected by a passphrase

cert-private-key-passphrase · RHEL ≥ 8 · 1 impl

Description

Private keys used for authentication must be encrypted with a passphrase so a stolen key file cannot be used on its own. This checks SSH private keys in the standard locations for the unencrypted state.

Rationale

An unencrypted private key file, if exfiltrated, grants an attacker the identity it certifies with no further barrier.

Check → Remediate

Checkcommand
command -v ssh-keygen >/dev/null 2>&1 || { echo "NOT APPLICABLE: ssh-keygen unavailable"; exit 0; }
fail=0
# Candidate private-key files in the standard locations.
for k in /root/.ssh/id_* /home/*/.ssh/id_*; do
  [ -f "$k" ] || continue
  case "$k" in *.pub) continue ;; esac
  # -P '' supplies an empty passphrase: succeeds (exit 0) ONLY if the key
  # is unencrypted; an encrypted key rejects the empty passphrase (no prompt).
  if ssh-keygen -y -P '' -f "$k" >/dev/null 2>&1; then
    echo "FAIL: $k is an unencrypted private key"
    fail=1
  fi
done
if [ "$fail" -eq 0 ]; then
  echo "OK: no unencrypted private keys found in standard locations"
  exit 0
fi
exit 1
expected_exit:
0
Remediatemanual
note:
Add a passphrase to each unencrypted key: ssh-keygen -p -f <keyfile>. Note: SSH host keys (/etc/ssh/ssh_host_*_key) are intentionally passphrase-less; scope enforcement to user/authentication keys per site policy.

Framework references

STIG

V-281326 / RHEL-10-701240V-258127 / RHEL-09-611190V-230230 / RHEL-08-010100

NIST 800-53

IA-5(2)
#pki#private-key#passphrase#ssh#stig