Utility to scan for unpassworded SSH privkeys?

Fri May 24 13:34:15 EST 2013

On May 23, 2013, at 7:19 PM, "Dan Mahoney, System Admin" <danm at prime.gushi.org> wrote:

> Hey all,
> 
> Let's make an assumption:
> 
> 1) I am a root user on a system.
> 
> 2) I don't want said system being used as a jumping-off point if either a user account or the root account is compromised.
> 
> Given an unencrypted private key, plus a known_hosts file, plus bash_history, it's a pretty easy avenue of attack once you're in the front door.  And it's happened before*.
> 
> Thus, what I'd like to do is (in the spirit of crack's "nastygram" script), trawl through user .ssh directories and warn users with insecure keys (or warn root).
> 
> I'm shocked I can't find something that does this with a basic google search.  Debian offers their ssh-vulnkey tool, but that checks for something different (weak RNG-seeded keys).
> 
> Has anyone come across something like this?  Better still, written it?
> 
> It seems to me that something like this should be in /contrib, but that's just me.
> 
> My ears are open.

Three comments:

1.  Set this in /etc/ssh/ssh_config  and advocate people use it.    
     HashKnownHosts
             Indicates that ssh(1) should hash host names and addresses when
             they are added to ~/.ssh/known_hosts.  These hashed names may be
             used normally by ssh(1) and sshd(8), but they do not reveal iden-
             tifying information should the file's contents be disclosed.  The
             default is ``no''.  Note that existing names and addresses in
             known hosts files will not be converted automatically, but may be
             manually hashed using ssh-keygen(1).

This stops your "known host" issues.

2. Discourage people from leaving PRIVATE KEYS on your server.  The only place they should live is on the user's laptop (hopefully password protected) and encourage good ssh-agent usage (something I always advocate to my users and do myself).

This stops people from breaking one ssh account, finding a local exploit and stealing other keys to other people's sites.

3.  Encourage (disable offending accounts) people using in their ~/.ssh/authorized_keys files for *EACH* key they place. 

     from="pattern-list"
             Specifies that in addition to public key authentication, either
             the canonical name of the remote host or its IP address must be
             present in the comma-separated list of patterns.  See PATTERNS in
             ssh_config(5) for more information on patterns.

             In addition to the wildcard matching that may be applied to host-
             names or addresses, a from stanza may match IP addresses using
             CIDR address/masklen notation.

             The purpose of this option is to optionally increase security:
             public key authentication by itself does not trust the network or
             name servers or anything (but the key); however, if somebody
             somehow steals the key, the key permits an intruder to log in
             from anywhere in the world.  This additional option makes using a
             stolen key more difficult (name servers and/or routers would have
             to be compromised in addition to just the key).

This helps protect against "wandering private key syndrome."  As it is locked down a bit more.

Personally if I were going to allow my system to be a general shell server for even close friends.  I'd have cron jobs disabling, deleting, or otherwise ensuring the the last two are respected.  And it would be clearly posted.  

*shrug* But frankly, I advocate the above three items for years.

- Ben