> It would be nice if SSH had a way to refuse entry to unpassphrased keys, or
> if I had a way to determine that the private key corresponding to some
> public key were unpassphrased, so I could audit authorized_keys files for
> unpassphrased keys and remove them.
I don't see how this could work; the entire point of PPK is that you never have to hand out
your private key to anyone. So there's no way that the server can see whether the client's
private key had a passphrase or not.
Of course the protocol could just include that information in the request but that's
completely useless as a security precaution, because the attacker just needs to tweak his SSH
client code to always say that the key was passphrased, even if it wasn't.