Adversaries may modify the SSH authorized_keys
file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys
file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys
.[1] Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config
.
Adversaries may modify SSH authorized_keys
files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s "add-metadata" command an adversary may add SSH keys to a user account.[2][3] Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.[4] This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.[5][6] It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain
Network Device CLI command.[7]
FAQs
The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. It is a highly important configuration file, as it configures permanent access using SSH keys and needs proper management.
What is the permission for authorized keys file in SSH? ›
ssh directory permissions should be 700 (drwx------). The public key (. pub file) should be 644 (-rw-r--r--). The private key (id_rsa) on the client host, and the authorized_keys file on the server, should be 600 (-rw-------).
How to remove ssh key from authorized_keys? ›
Four Steps to Remove SSH Keys
- SSH to your server. ssh <user>@<server ip>
- Edit file ~/.ssh/authorized_keys using your favorite editor (e.g. vi, nano, pico) vi ~/.ssh/authorized_keys.
- Remove the line that corresponds to your key.
- Save the file and exit (command below applies to 'vi' editor) Hit 'Esc' button, then type wq!
What is account manipulation? ›
Account manipulation is a technique used by attackers to gain access to critical resources. In this technique, the attacker gets hold of a user account which doesn't have enough privileges to access the required resource or data, and elevates its privileges.
What are SSH keys used for? ›
An SSH key is an access credential for the SSH (secure shell) network protocol. This authenticated and encrypted secure network protocol is used for remote communication between machines on an unsecured open network. SSH is used for remote file transfer, network management, and remote operating system access.
How to login using SSH key? ›
Once your SSH key pair is generated, you need to place the public key on the server.
- Use the command `ssh-copy-id user@your_server_ip` to copy the public key. Replace `user` with your username and `your_server_ip` with your server's IP address.
- Enter your password when prompted.
What happens if you DELETE a SSH key? ›
After your inactive SSH key is deleted, you must generate a new SSH key and associate it with your account. For more information, see "Generating a new SSH key and adding it to the ssh-agent" and "Adding a new SSH key to your GitHub account."
How to check all ssh keys? ›
Checking for existing SSH keys
- Open Terminal .
- Enter ls -al ~/.ssh to see if existing SSH keys are present. $ ls -al ~/.ssh # Lists the files in your .ssh directory, if they exist.
- Check the directory listing to see if you already have a public SSH key. ...
- Either generate a new SSH key or upload an existing key.
Why use ssh-agent? ›
ssh-agent is a key manager for SSH. It holds your keys and certificates in memory, unencrypted, and ready for use by ssh . It saves you from typing a passphrase every time you connect to a server.
What is an example of account abuse? ›
For example, a card/account holder who uses the purchase card/account to buy himself lunch because he had no cash available that day is misusing the purchase card/account.
The terms “spoofing” and “phishing” are often used interchangeably, but they mean different things. Spoofing uses a fake email address, display name, phone number, or web address to trick people into believing that they are interacting with a known, trusted source.
What is a falsified account? ›
false accounting consists of the dishonest: falsification, etc, of any account or accounting record or document; or the production of any account or accounting record or document which the producer knows is or may be misleading, in the course of furnishing information for any purpose.
How to connect SSH using authorized_keys? ›
On your computer, in the PuTTYgen utility, copy the contents of the public key (displayed in the area under "Key") onto your Clipboard. Then, on the remote system, use your favorite text editor to paste it onto a new line in your ~/.ssh/authorized_keys file, and then save and close the file.
What is the difference between authorized_keys and authorized_keys2? ›
The $HOME/. ssh/authorized_keys file lists the RSA keys that are permitted for RSA authentication in SSH protocols 1.3 and 1.5 Similarly, the $HOME/. ssh/authorized_keys2 file lists the DSA and RSA keys that are permitted for public key authentication (PubkeyAuthentication) in SSH protocol 2.0.
What is an authorization key? ›
A credit card authorization key is a code that is required to finalize a credit card transaction. It is transmitted automatically between the retailer's POS system and the cardholder's issuing bank.
Where is SSH authorized_keys on Windows? ›
The contents of your public key (\.ssh\id_ecdsa.pub) needs to be placed on the server into a text file called authorized_keys in C:\Users\username\.ssh\. You can copy your public key using the OpenSSH scp secure file-transfer utility, or using a PowerShell to write the key to the file.