@@ -280,6 +280,41 @@ if ($Zerofree) {
280280 Show-Output - ForegroundColor Cyan " Free space will be zeroed at the end of this script."
281281}
282282
283+ # Check that SSH keys are stored on secure devices
284+ $SSHDir = " ${UserDir} \.ssh"
285+ if ((Test-Path " ${SSHDir} " -and (Test-CommandExists " ssh-keygen"
286+ Show-Output " SSH configuration folder found. Checking that the keys are secure."
287+ $BadKeys = [System.Collections.ArrayList ]@ ()
288+ # Get-ChildItem does not support -Filter and -Exclude at the same time
289+ Get-ChildItem " ${SSHDir} " - Filter " id_*" | Foreach-Object {
290+ # Skip .pub files
291+ if ($_.FullName -match ' ^(?!.*\.pub$).*$'
292+ $KeyProps = " $ ( ssh- keygen - lf $_.FullName ) "
293+ # Get the last part and strip first and last characters
294+ $KeyType = $KeyProps.split (" " -1 ] -replace " ^." -replace " .$"
295+ if (-not $KeyType.EndsWith (" -SK"
296+ $BadKeys.Add (" $ ( $_.FullName ) `n ${KeyProps} "
297+ }
298+ }
299+ }
300+ if ($BadKeys.Length ) {
301+ Add-Type - AssemblyName PresentationCore, PresentationFramework
302+ $ButtonType = [System.Windows.MessageBoxButton ]::OK
303+ $MessageIcon = [System.Windows.MessageBoxImage ]::Error
304+ $MessageBody = (
305+ " The following SSH keys seem not to be stored on a secure device " +
306+ " such as a TPM (Windows Hello) or a FIDO2 hardware token (e.g. YubiKey). " +
307+ " Please replace them with secure keys as soon as possible. " +
308+ " Please see https://agx.fi/it/ssh for further instructions.`n`n " + ($BadKeys -join " `n`n "
309+ )
310+ $MessageTitle = " Insecure SSH keys detected"
311+ [System.Windows.MessageBox ]::Show($MessageBody , $MessageTitle , $ButtonType , $MessageIcon )
312+ Start-Process " https://agx.fi/it/ssh"
313+ }
314+ } else {
315+ Show-Output " SSH configuration folder or ssh-keygen was not found."
316+ }
317+
283318# Loaded globally, since these are slow
284319$ComputerInfo = Get-ComputerInfo
285320$IsDomainJoined = Get-IsDomainJoined
0 commit comments