SSH Authorized Keys

SSH authorized keys are public keys used to give remote login access to users via SSH, primarily on Linux and macOS systems. In order to login to a machine configured to use SSH keys, a user would need to present the private half of their public/private key-pair. If the two parts match, a user is granted access to the system. These keys are effectively credentials that can be used to login to a system.

These keys are typically stored in a user's home directory at the following location: .ssh/authorized_keys. However, this location can be changed by the system administrator by updating the SSH configuration files.

The SSH configuration files are located in /etc/ssh/sshd_config.

In secure environments keys are usually stored in a location owned by the root user of the system to prevent unwanted key manipulation.

The Risk

Threat actors can manipulate improperly secured ssh key directories on an endpoint, giving themselves access to the system at a later date and time of their choosing - persistence. Even if the SSH server isn't setup to use authorized keys, threat actors that gain access to the SSH configuration files can simply enable this behavior. Once they have access to the SSH configuration files, all they need to do is set the PubkeyAuthentication and RSAAuthentication directives to "yes". After this they can add their own SSH keys to the target machine. SSH keys can be added through simple tools like FTP to upload the file, or by commands used to generate the keys directly on the target machine.

Detection, Configuration, and Mitigation