> The closest you can get is to hack ssh-keygen so that it refuses to
> generate non-passphrased keys, and force everyone to generate new keys,
> pissing everyone off.
Of course there's no way to guarantee that someone hasn't created a key using an older version
of ssh-keygen, or a version that's been hacked back again. If the server cannot see the
private key it _cannot_ reliably know whether it was locked or not. And not allowing the
server to see the private key is one of the key features of PPK.
Not to mention that there are very legitimate uses for password-less login, and non-PPK
password-less login has no security at all. If you have to have password-less login (and
sometimes you do, particular for automation purposes) then using a passphrase-less private key
can, with proper attention to detail, give you a "pretty secure" way to do it.