Audit/Detect SSH keys

[vpetersson]

One issue some clients have raised has been around management of SSH keys. Often times, clients do not know what SSH keys they have installed. This can be a big attack vector.

Do do this in a solid way, we need to take the following steps:

First we identify the path for the authorized_keys location(s):

$ sudo sshd -T | grep authorizedkeysfile
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2

Next, we need to look up all shells:

$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

We then need to look for all users with one of these valid shells, and extract their home directory:

$ grep -E \
    -e '/bin/sh' \
    -e '/bin/dash' \
    -e '/bin/bash' \
    -e '/bin/rdash' \
    /etc/passwd | awk -F':' '{ print $1 ":" $6}'
root:/root
foo:/home/foo
bar:/home/bar

Finally, we can traverse the list, which would be:

• /root/.ssh/authorized_keys
• /root/.ssh/authorized_keys2
• /home/foo/.ssh/authorized_keys
• /home/foo/.ssh/authorized_keys2
• /home/bar/.ssh/authorized_keys
• /home/bar/.ssh/authorized_keys2

With the above data, we need to submit it upstream and report both the key(s) in the authorized_keys files, along with the corresponding user.

Known issues:

• This that this does not factor in disabled accounts
• This logic would break if the authorized_keys file isn't located in the home directory (which is a valid way to configure OpenSSH)