Utility to scan for unpassworded SSH privkeys?
Dan Kaminsky
dan at doxpara.com
Fri May 24 10:39:56 EST 2013
Effectively nobody passphrases their ssh keys. They're used as a way to *suppress* password entry in the real world -- use this, and things just work rather than poking you each time.
Sent from my iPhone
On May 23, 2013, at 5:19 PM, "Dan Mahoney, System Admin" <danm at prime.gushi.org> wrote:
> Hey all,
>
> Let's make an assumption:
>
> 1) I am a root user on a system.
>
> 2) I don't want said system being used as a jumping-off point if either a user account or the root account is compromised.
>
> Given an unencrypted private key, plus a known_hosts file, plus bash_history, it's a pretty easy avenue of attack once you're in the front door. And it's happened before*.
>
> Thus, what I'd like to do is (in the spirit of crack's "nastygram" script), trawl through user .ssh directories and warn users with insecure keys (or warn root).
>
> I'm shocked I can't find something that does this with a basic google search. Debian offers their ssh-vulnkey tool, but that checks for something different (weak RNG-seeded keys).
>
> Has anyone come across something like this? Better still, written it?
>
> It seems to me that something like this should be in /contrib, but that's just me.
>
> My ears are open.
>
> -Dan
>
> *(http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key)
> http://threatpost.com/apache-site-hacked-through-ssh-key-compromise-082809/
>
> --
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: http://www.gushi.org
> ---------------------------
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list