Utility to scan for unpassworded SSH privkeys?

Dan Kaminsky dan at doxpara.com
Fri May 24 10:39:56 EST 2013


Effectively nobody passphrases their ssh keys.  They're used as a way to *suppress* password entry in the real world -- use this, and things just work rather than poking you each time.

Sent from my iPhone

On May 23, 2013, at 5:19 PM, "Dan Mahoney, System Admin" <danm at prime.gushi.org> wrote:

> Hey all,
> 
> Let's make an assumption:
> 
> 1) I am a root user on a system.
> 
> 2) I don't want said system being used as a jumping-off point if either a user account or the root account is compromised.
> 
> Given an unencrypted private key, plus a known_hosts file, plus bash_history, it's a pretty easy avenue of attack once you're in the front door.  And it's happened before*.
> 
> Thus, what I'd like to do is (in the spirit of crack's "nastygram" script), trawl through user .ssh directories and warn users with insecure keys (or warn root).
> 
> I'm shocked I can't find something that does this with a basic google search.  Debian offers their ssh-vulnkey tool, but that checks for something different (weak RNG-seeded keys).
> 
> Has anyone come across something like this?  Better still, written it?
> 
> It seems to me that something like this should be in /contrib, but that's just me.
> 
> My ears are open.
> 
> -Dan
> 
> *(http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key)
> http://threatpost.com/apache-site-hacked-through-ssh-key-compromise-082809/
> 
> -- 
> 
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list