[D9u]

Why not disable password logins completely, use PKI for all connections, and while we're at it, restrict logins to known hosts?

Also, don't use passwordless keys.

Then there's moving sshd off of port 22 to provide some obscurity.

Yada yada yada... How many times will we have to go over this subject?

[dredmorbius]

Is there any way server-side to determine if a key is passwordless or not?

[dsl]

Not from the public key.

[dredmorbius]

That's what I thought. It's always struck me as a limitation of the ssh auth approach. While I can't insist on a good password, I'd like to be able to insist upon password-protected keys (at least as a default -- exceptions for some system processes / activities).