Verify SSH Keys Modified on Host

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Security recommendation

ImpactRemediation complexitySeverityRecommended value
323No unauthorized modifications

SSH Keys should only be modified through authorized processes by legitimate users or configuration management systems.

Compliance

Documentation

SSH authorized_keys files control which public keys are authorized to authenticate to a user account via SSH. These files are typically located at ~/.ssh/authorized_keys for each user account.

File Integrity Monitoring (FIM) tracks changes to authorized_keys files by monitoring various file operations including:

  • chmod: Permission changes that could make the file world-writable or readable by unauthorized users
  • chown: Ownership changes that could allow unauthorized users to modify authentication settings
  • link: Creation of hard or symbolic links that could redirect authentication to attacker-controlled key files
  • rename: Moving or renaming key files, potentially to hide malicious keys or disable legitimate access
  • open: File modifications that add attacker public keys or remove legitimate keys
  • unlink: Deletion of authorized_keys files, potentially as part of covering tracks or denial of service
  • utimes: Timestamp modifications that could hide evidence of unauthorized key additions

Remediation

Prerequisites

  • You must have root or administrative privileges
  • Access to system logs and audit trails
  • Backup of known-good authorized_keys files or user management records
  • List of legitimate SSH public keys and their owners

Step-by-step guide

Step 1: Identify Modified File

Review the Finding to determine which authorized_keys file was modified:

# Check file details
ls -la ~/.ssh/authorized_keys
ls -la /root/.ssh/authorized_keys
stat /home/username/.ssh/authorized_keys

# Find all authorized_keys files on the system
find / -name authorized_keys -type f 2>/dev/null

Step 2: Review Current Contents

Examine the current authorized_keys file:

# View the file contents
cat /home/username/.ssh/authorized_keys

# Count the number of keys
grep -c "^ssh-" /home/username/.ssh/authorized_keys

# Check file permissions (should be 600 or 400)
ls -l /home/username/.ssh/authorized_keys

# Check directory permissions (should be 700)
ls -ld /home/username/.ssh/

Step 3: Verify Legitimate Change

Check if the modification was authorized:

# Check who last modified the file
stat /home/username/.ssh/authorized_keys

# Review audit logs for the file modification
ausearch -f /home/username/.ssh/authorized_keys -ts recent
auditctl -l | grep authorized_keys

# Check sudo/su logs for administrative actions
grep -E "sudo|su" /var/log/auth.log | tail -20

# Review SSH login attempts
grep "Accepted publickey" /var/log/auth.log | tail -20