We have some SFTP-Chroot Environments where we only allow 4096bit RSA Keys for authentication and we only have the public key part from our users. But we have a policy that the user has to set a password for their private key parts.
Is there a way to check if thats true (that theyve really set a password) only by owning the public key part or maybe by setting something in openssh-server config?
Best Answer
You can't (with only the public key). The user may change or remove the password for the private key without affecting the server.
There is a similar question: How to tell if a public SSH key has a passphrase
If you are implementing two-factor authentication, maybe you could consider PAM or a custom script. Making it work with some SFTP clients may be a pain though.