{"description": "Verify the SSH private key files have a passcode.\nFor each private key stored on the system, use the following command:\n\n<pre>$ sudo ssh-keygen -y -f /path/to/file</pre>\n\nIf the contents of the key are displayed, without asking a passphrase this is a finding.", "rationale": "If an unauthorized user obtains access to a private key without a passcode, that user would\nhave unauthorized access to any system where the associated public key has been installed.", "severity": "medium", "references": {"nist": ["IA-5(2)", "IA-5(2).1"], "srg": ["SRG-OS-000067-GPOS-00035"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "Any contents were displayed without asking a passphrase", "ocil": "For each private key stored on the system, use the following command:\n\n<pre>$ sudo ssh-keygen -y -f /path/to/file</pre>", "oval_external_content": null, "fixtext": "Set a passphrase to all keys that didn't have it with the following command:\n\n<pre>$ sudo ssh-keygen -p -N passphrase -f /path/to/file</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "OpenSSH Service Must Use Passcode for Their Private Keys", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_private_keys_have_passcode/rule.yml", "template": null}