Hi! I've been trying to dig around and find a way to enforce passphrases on private keys when you authenticate. The closest post that I can find would be...
http://marc.info/?l=openssh-unix-dev&m=106941429416956&w=2 --- if openssl rsa -noout -passin pass:none -in /path/to/key ; then echo user is a dork fi --- However, how does one go about implementing this if their private key is on the local system? If the private key is on your server, you could probably put it in a login script. But being that it is on the local system, how would you go about verifying the passphrase? The reason why I'm going down this road is because we have had problems where a user's private key is compromised. Some user's do not use passphrases on their private keys. Once a key is copied off the system, the attacker then logs in without worrying about passwords. My idea is to have the server deny the connection if a passphrase does not exist on a private key. Thanks!
