Reading this twitter, https://twitter.com/DragonJAR/status/1661627526874030080, the doubt assailed me, can we protect ourselves from ‘Backdoors’ in public SSH keys?
that is, how can I check the authenticity of a public ssh key?, checking its hash key and asking whoever created them if they match, that is, call the system administrator or send an email that can take days to get a response.
It’s not practical, it’s not cool. In real life we should have an encrypted file with the hashes of said public keys in a controlled place and then check the command pattern in the .ssh/authorized_keys directory.
If the hash does not match and/or we find such a pattern in said public key, we have a problem. Here is a proposed script that tries to automate this:
trying to automatize this stuff
!/bin/bash
# Variables
# Replace with the address or name of your server
server="your-server"
# Path of the encrypted file on the server
file_path="path/to/encrypted-file"
# Local path to save the decrypted file
destination_path="local/path/to/save"
# Name of the encrypted file
encrypted_file="encrypted-file.enc"
# Name of the decrypted file
decrypted_file="decrypted-file.txt"
# Connect to the server and transfer the encrypted file
scp $server:$file_path/$encrypted_file $destination_path
# Decrypt the file
openssl aes-256-cbc -d -a -in $destination_path/$encrypted_file -out $destination_path/$decrypted_file
# Get the fingerprint of the public key and search in the decrypted file
public_key_path="path/to/public-key.pub" # Path of the public key you want to check
# Get the fingerprint of the public key
fingerprint=$(ssh-keygen -l -f $public_key_path | awk '{print $2}')
# Search for the fingerprint in the decrypted file and authorized_keys file
if grep -q "$fingerprint" "$destination_path/$decrypted_file" && ssh $server "grep -rnw '/home' -e 'command=' ~/.ssh/authorized_keys"; then
echo "WARNING: The fingerprint of the public key is included in the encrypted file, and 'command=' is present in authorized_keys file."
elif grep -q "$fingerprint" "$destination_path/$decrypted_file"; then
echo "OK!. The fingerprint of the public key is included in the encrypted file."
elif ssh $server "grep -rnw '/home' -e 'command=' ~/.ssh/authorized_keys"; then
echo "WARNING: 'command=' is present in authorized_keys file."
else
echo "OK!. The fingerprint of the public key is NOT included in the encrypted file, and 'command=' is NOT present in authorized_keys file."
fi
# Delete the file with encrypted hashes
ssh $server "rm $file_path/$encrypted_file"
Obviously, maintaining the structural integrity and confidentiality of said file with the public key hashes is also very important.
#!/bin/bash
# Variables
# Directory containing the public keys
public_keys_directory="path/to/public-keys"
# Output directory for the encrypted file
output_directory="path/to/output-directory"
encrypted_file="encrypted-file.enc" # Encrypted file name
# Create a string with the hashes of the public keys
hashes=""
# Iterate over all public key files in the directory
for public_key_file in $public_keys_directory/*.pub; do
fingerprint=$(ssh-keygen -l -f $public_key_file | awk '{print $2}')
hashes="$hashes$fingerprint\n"
done
# Encrypt the hashes of the public keys into a file
echo -e "$hashes" | openssl aes-256-cbc -a -salt -out "$output_directory/$encrypted_file"
echo "Encrypted file generated at: $output_directory/$encrypted_file"
That is all. Thanks for reading until here.
Love you all, Marcos & Blanca.
Aironman techblog 