> Of course the protocol could just include that information in the request but that's
> completely useless as a security precaution, because the attacker just needs to tweak his
> client code to always say that the key was passphrased, even if it wasn't.
Actually, this sounds very reasonable to me: the point of refusing access to passphraseless
keys isn't to protect from an attacker, but to protect from a lazy user, who doesn't want to
type his passphrase. This wouldn't protect from sophisticated lazy users, but those lazy
users will probably realize it's easier to run an ssh-agent than to compile a modified ssh
client. But this would prevent the stupid lazy user from logging in with his/her
passphraseless key, which ought to gain something.