> The closest you can get is to hack ssh-keygen so that it refuses to > generate non-passphrased keys, and force everyone to generate new keys, > pissing everyone off. Of course there's no way to guarantee that someone hasn't created a key using an older version of ssh-keygen, or a version that's been hacked back again. If the server cannot see the private key it _cannot_ reliably know whether it was locked or not. And not allowing the server to see the private key is one of the key features of PPK. Not to mention that there are very legitimate uses for password-less login, and non-PPK password-less login has no security at all. If you have to have password-less login (and sometimes you do, particular for automation purposes) then using a passphrase-less private key can, with proper attention to detail, give you a "pretty secure" way to do it.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds