Verify SSH Keys Modified on Host
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Security recommendation
| Impact | Remediation complexity | Severity | Recommended value |
|---|
| 3 | 2 | 3 | No unauthorized modifications |
SSH Keys should only be modified through authorized processes by legitimate users or configuration management systems.
Compliance
Documentation
SSH authorized_keys files control which public keys are authorized to authenticate to a user account via SSH. These files are typically located at ~/.ssh/authorized_keys for each user account.
File Integrity Monitoring (FIM) tracks changes to authorized_keys files by monitoring various file operations including:
- chmod: Permission changes that could make the file world-writable or readable by unauthorized users
- chown: Ownership changes that could allow unauthorized users to modify authentication settings
- link: Creation of hard or symbolic links that could redirect authentication to attacker-controlled key files
- rename: Moving or renaming key files, potentially to hide malicious keys or disable legitimate access
- open: File modifications that add attacker public keys or remove legitimate keys
- unlink: Deletion of authorized_keys files, potentially as part of covering tracks or denial of service
- utimes: Timestamp modifications that could hide evidence of unauthorized key additions
Prerequisites
- You must have
root or administrative privileges - Access to system logs and audit trails
- Backup of known-good
authorized_keys files or user management records - List of legitimate SSH public keys and their owners
Step-by-step guide
Step 1: Identify Modified File
Review the Finding to determine which authorized_keys file was modified:
# Check file details
ls -la ~/.ssh/authorized_keys
ls -la /root/.ssh/authorized_keys
stat /home/username/.ssh/authorized_keys
# Find all authorized_keys files on the system
find / -name authorized_keys -type f 2>/dev/null
Step 2: Review Current Contents
Examine the current authorized_keys file:
# View the file contents
cat /home/username/.ssh/authorized_keys
# Count the number of keys
grep -c "^ssh-" /home/username/.ssh/authorized_keys
# Check file permissions (should be 600 or 400)
ls -l /home/username/.ssh/authorized_keys
# Check directory permissions (should be 700)
ls -ld /home/username/.ssh/
Step 3: Verify Legitimate Change
Check if the modification was authorized:
# Check who last modified the file
stat /home/username/.ssh/authorized_keys
# Review audit logs for the file modification
ausearch -f /home/username/.ssh/authorized_keys -ts recent
auditctl -l | grep authorized_keys
# Check sudo/su logs for administrative actions
grep -E "sudo|su" /var/log/auth.log | tail -20
# Review SSH login attempts
grep "Accepted publickey" /var/log/auth.log | tail -20
