SSH keys are commonly used to sign into servers, push code, and verifyidentities. It's important they are password-protected.
What Are SSH Keys?
An SSH Key is a two part (public and private key) cryptographic token which isprimarily used to facilitate remote secure shell (SSH) access to a computer.
In practice SSH Keys are used to sign in to servers, authenticate to remoterepositories like Github, and as a way of verifying the authenticity offiles and messages.
How Do SSH Keys End Up Unencrypted?
Engineers and other technical users need to semi-frequently generate new SSHkeys to authenticate to various services. To do that they often generatethe SSH key pair via the terminal by running the following command:
$ ssh-keygen -t ed25519 -C "first.name@example.com"During the process they will eventually be asked to set a passphrase witha prompt that looks like the following:
> Enter passphrase (empty for no passphrase): [Type a passphrase]Unfortunately, this portion of the process can be easily skipped by simplypressing the enter key on the keyboard. If this portion of the processis skipped the private key can be used by anyone who can get possession ofthe file.
Why do developers skip this step? There are a few reasons that come up in practice:
Ignorance - Many developers don’t know there is any security value in adding apassphrase to an SSH key.
Perceived Lack of Necessity - Many SSH keys are generated under the assumptionthey won’t be used to obtain access to anything important and thus adding a passphraseis unnecessary overkill.
Convenience - By adding a passphrase, developers often assume they will needto constantly enter a passphrase every time they push code to GitHub or accessa commonly used server. By forgoing the password they don’t have to contendwith any productivity loss.
While these arguments drive the behavior, none of them are strong. In fact,a lot of the perceived downsides of using an encrypted key can be mitigatedwith modern tools.
For example, on macOS if an encrypted SSH key is accessed by a process, youwill be automatically prompted to enter the passphrase and then you can chooseto save it in the keychain.
Locating Unencrypted SSH Keys with Osquery
Osquery (an open-source tool for querying the state of the OS) is capable oflocating user SSH keys across devices. It does this by tapping into thessh-agent on the device and looking for them in common locations on the primarydisk like ~./ssh.
Osquery uses SQL to query the system’s current state. Here is an example of aSQL query that can detect all unencrypted SSH keys on disk.
SELECT path FROM user_ssh_keys WHERE encrypted = 0;Kolide extends osquery’s functionality with additional data like MD5 fingerprintand automatically stores metadata about keys in its built-in Inventory. This allows you to detect things like duplicate SSH keys across devices.
How Do I Encrypt an Unencrypted SSH Key?
Encrypting a pre-existing SSH key is a trivial process. On Mac or Linuxsimply:
- Make note of the private SSH key you wish to encrypt. For this example, let’s assume it’s in
/Users/user/.ssh/id_rsa - Open the terminal
- Type
ssh-keygen -p -f /Users/user/.ssh/id_rsaand press enter
You will be prompted to create a passphrase. We suggest you create a uniquepassphrase per key and store those passphrases in a secure/approved passwordmanager like 1Password.
You may not see text being entered as you type your password in. Do not worry,this is normal security feature of the terminal and it is receiving your keystrokes.
This problem cannot be remediated through traditional automation with tools like an MDM. You need to be able to stop devices that fail this check form authenticating to your SaaS apps and then give end-users precise instructions on how to unblock their device.
Kolide's Okta Integration does exactly that. Onece integrated in your sign-in flow, Kolide will automatically associate devices with your users' Okta identities. From there, it can block any device that exhibits this problem and then provide the user, step-by-step instructions on how to fix it. Once fixed, Kolide immediately unblocks their device. Watch a demo to find out more.
