logo

I Stopped Trusting SSH Key Files

Posted by Tomte |2 hours ago |1 comments

Bender 2 hours ago

A copied key works from anywhere, silently. There's no "is the real owner here right now?" check.

The server can have restrictions on where SSH keys are valid from. Furthermore the server side public SSH keys can be moved under /etc/ssh/keys so they are harder to tamper with vs a users .ssh dir in $HOME. This can significantly reduce the blast radius of a leaked key. Furthermore the server side file should be set immutable and read-only and something like Tripwire or OSSEC should be monitoring for changes to anything in /etc. Additionally one can limit access to SSH over a VPN such as Wireguard unless this is a public SFTP server.

    # grep "/etc/ssh/keys/" /etc/ssh/sshd_config
    AuthorizedKeysFile /etc/ssh/keys/%u

    # chmod 0444 /etc/ssh/keys/root
    # chattr +i /etc/ssh/keys/root

    # cat /etc/ssh/keys/root
    from="172.16.0.0/12,26.10.15.0/24" ssh-ed25519 AAAA...[snip].... JIRA-10040