Ref T13454. Ref T13123. Ref T13006. We currently test if a private key has a password by looking for the text "ENCRYPTED" in the key body. This test is obviously unsophisticated, and can not identify all keys with passphrases.
Modern keys with passphrases look like this:
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDvWlhrGB ... BMtSyiq+AScOPPbrkMZzOdqbo97JyO3hMe8Ha8bhuclZiM0qWg -----END OPENSSH PRIVATE KEY-----
Instead, detect that a key has a passphrase by changing the passphrase from "" (the empty string) to "" (the empty string). If this works: no passphrase. If it fails, assume that indicates it's a passphrase protected key (although it could indicate that it's just a bad key).
There's another technique here with SSH_ASKPASS=... but:
- I couldn't get that to work at all; and
- I couldn't come up with a simple way to determine that our ASKPASS binary has been invoked, to improve our confidence that we're geninely detecting a private key with a password.