Check SSH keys on your VPS

Today, during a routine check of a new server, a co-worker found an authorized_keys file that isn't ours. The keys in the file (two of them) were of the VPS company that provided the server. One of them is of a specific user there and the other is a generic one.

This grants them password-less access to our server. We have no idea if the private keys are shared between people and whether they are even password protected or not. If they aren't password protected and shared between users (which is likely), it means that we have a completely unknown number of people who can seamlessly access our server and if the key is stolen or ill-gotten somehow, it's much much worse.

In case the server wasn't also checked for changes to the security access log (which most servers aren't checked for because sysadmins go in and out) and the ssh authorized_keys weren't being automatically tested (which some people don't do, unfortunately) we would have no possible way of knowing if anyone accessed our servers using their keys.

This is the most irresponsible behavior I've seen in a hosting company, ever.

Please, check your SSH authorized_keys as soon as you have access to your new server and after every "check up" the company does, if it does them.

Also, put up monitoring and check (using a checksum like SHA1) the authorized_keys file (and the still-deprecated-but-used authorized_keys2) regularly.


Was that OVH? This was main reason why I resigned from using their services - putting keys in /root/.ssh/authorized_keys, and running some kind of process on root account, listening on tcp/ip.

If they're rooting your server, sounds like "tarnishing" their name is totally fair and part of being a good consumer.

Having worked for a large "managed IT services" company, I can say in some environments it is a standard procedure to have SSH keys on all customer servers. They also used a web-services daemon for communications with their customer "control panel".

I guess the difference would be if it was "managed" or "unmanaged" service. It's rather hard to "manage" a server if you don't have access to it.

That said, the company I worked for had separate keys for every employee, which all had to be password protected, and the daemon which managed the services removed keys from former employees.

I also think they were considering moving to Active Directory for Kerberos authentication to consolidate the Linux and Windows servers (and to make management easier without specialized daemons.)

Since leaving that company I've been with a few different VPS companies (all unmanaged) and so far there hasn't been any daemons or ssh keys installed.

Leave a comment

About Sawyer X

user-pic Gots to do the bloggingz