Download MacKeeper Research Policy MacKeeper.com

Do you want to be our security writer? Send your guest post to

Kromtech releases Key Inspector, free tool to check your SSH keys

How secure is your SSH connection?

Back to blog

Secure server connections are crucial. The last thing you want is for your server to be hacked due to key leakage or SSH brute force. We don’t want that either, which is why we’ve put together a comprehensive guide to help make your SSH connection secure.

Use it along with this free tool from Kromtech and you’ll be confident in having a more secure SSH connection.

Check it here: https://github.com/kromtech/key-inspector

What’s causing my weak security

1) You may not have key authentication on your SSH connections.
Passwords aren’t enough. Take advantage of SSH key exchange instead. 

2) Your SSH keys may be not stored securely.
If you are using SSH protocol in your daily workflow, you might be using keys to log in to your service. The common way of storing SSH keys is to put them in .ssh/ in your home directory. But how secure is that? Any program that runs with user rights can successfully steal your keys without any interaction from your side. It gets worse. By accessing the .ssh/known_hosts file, ANY program can view list of servers that you have connected to.

3) Your AWS credentials might have open rights too.
This means that any program on your computer will have access to your AWS private key file, granting it the exact same access to your AWS infrastructure as you have. That’s bad news, but you can use the Key Inspector to fix that.

So what’s the solution to these problems? Proper rights management and encryption. You can use our free tool to discover if you’re storing your keys securely. Taking advantage of it is quite simple: 

Go to https://github.com/kromtech/key-inspector and follow the instructions below:

git clone https://github.com/kromtech/key-inspector
cd key-inspector
python key-inspector.py

 If everything is OK you will see this output:

If things don’t check out, don’t worry. This tool will provide you with specific commands to fix permissions and guide will help you to set up encryptions on your keys.

How do I encrypt my keys?

You have two options: 

1. Generate new key pairs
2. Encrypt your existing keys

In the first case, you will need to complete the entire revocation procedure. This includes:

- Generating a new key pair
- Uploading your new public key to your server
- Deleting the old one

Need more info on the differences between public/private keys and how they work? Check out this video
Generating a new key pair takes a little longer, but it's the smart thing to do. If your keys have been compromised, it will render them useless.
Your second option is to create an encrypted version of your existing keys. 


Generating a new key pair

1) Back up: 

 The first thing you need to do before manipulating your keys is to create a backup of your keys. You can do that by executing this command:

cp -R .ssh/ .ssh_backup/

And this command will back up your ssh directory on a remote server:

ssh remote-user@remote-server "cp -R  ~/.ssh ~/.ssh_backup"

2) Generate new pair
The key generation process is quite simple: 

ssh-keygen -o

This command will open a guide, which will generate a new key pair for you.
First, it will ask you to name your new key:

 

If you don't want to specify a name/path for your new key, just press ENTER to save it in your user home directory under “id_rsa” name. If you already have the key stored under that name, the program will ask you if you want to overwrite it.

The next step is the most important part of generating a secure SSH key: setting a passphrase. You NEED to set a passphrase for your key or it will be stored unencrypted.
 

 After you’ve set a passphrase, you will see something like this: 

Next, you can run key-inspector to make sure that you generated a secure key. If you see “Key 'id_rsa' is encrypted” then you've successfully generated an encrypted key.

3) Upload public key
Use following command to ADD your new public key to your server. After this step your old key will still work. You will need to replace “remote-user@remote-server” with your username on remote server and remote server address and “.ssh_backup/old_key” with path to your old key.

cat ~/.ssh/new_key | ssh remote-user@remote-user -i ~/.ssh_backup/old_key "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys" 

4) Test
Use the following command to log into your server. If it works, then you did everything right.

ssh remote-user@remote-server

5) Delete public key
The following command will log you in to your server using your fresh key and OVERWRITE your authorized_keys file with your public key, removing everything else. Every other key (including the old one) for this user will stop working after this step. 

cat ~/.ssh/id_rsa.pub | ssh remote-user@remote-user "mkdir -p ~/.ssh && cat >  ~/.ssh/authorized_keys"

6) Delete backups
Double-check that your new key works as needed, and then delete your old key and backup folder. 

rm -rf ~./ssh_backup
rm ~./ssh/old_key
ssh remote-user@remote-server "rm -rf ~./ssh_backup"


Encrypting existing keys

If you are not the only person using a particular key, or if you are unable to reissue it, you have the option to encrypt the existing key.

1) Back up
The first thing you need to do before manipulating your keys is create a backup of your keys. You can do that by executing this command: 

cp -R .ssh/ .ssh_backup/

 2) Encrypt
Encryption is next. You’ll need to create a passphrase for your key.

ssh-keygen -o -p -f .ssh/yourkey.pem

3) Test
Use the following command to log in to your server. If it works, then you did everything right.

ssh remote-user@remote-user

4) Remove backup
Double-check that your new key works as needed, and then delete the backup folder.

rm -rf ~./ssh_backup


Migrating  from password to key

Failing to use key authentication on SSH is problematic but you can fix that in a few easy steps. This process is similar to creating a new key.

1) Generate new pair
Start with this command:

ssh-keygen -o

This command will open a guide, which will generate a new key pair for you.
First, it will ask you to name your new key:

 

If you don't want to specify a name/path for your new key, just press ENTER to save it in your user home directory.
The next step is the most important part of generating a secure SSH key: setting a passphrase. You NEED to set a passphrase for your key or it will be stored unencrypted.

After you`ve set a passphrase, you will see something like this:

Next, you can run key-inspector to make sure that you’ve generated a secure key. If you see “Key 'id_rsa' is encrypted” then you've successfully generated an encrypted key.

2) Upload public key
Use the following command to add your new public key to your server. You will need to replace “remote-user@remote-user” with your username on the remote server.

ssh-copy-id remote-user@remote-server


Confirming everything is secure

Use key-inspector one more time to validate your steps. 

git clone https://github.com/kromtech/key-inspector
cd key-inspector
python key-inspector.py

If everything is OK you will see the following:


 Conclusion

Although staying secure in 2018 is hard, Kromtech's Key Inspector and this guide will help make your key storage more secure. Don’t forget to share this article with your friends and co-workers, and help make their key storage secure too.

Key Inspector source code and download is available here: https://github.com/kromtech/key-inspector

References:

  1. https://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf

  2. https://stackoverflow.com/questions/8500874/how-to-generate-pkcs8-key-with-pem-encode-using-aes-128-ecb-alg-in-openssl

  3. https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html

  4. http://www.webfarmr.eu/2010/04/export-pkcs12-files-to-pem-format-using-openssl/

  5. https://duckduckgo.com/?q=Proc-Type%3A+4%2CENCRYPTED&t=ffcm&ia=qa

  6. https://stackoverflow.com/questions/42105432/how-to-use-an-encrypted-private-key-with-golang-ssh

 


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: security@kromtech.com
 

You may also like