Finding Your OpenSSH Private Keys

In you’re a developer you will probably know all about using your OpenSSH keys to log into remote sites for both SSH connections and for…
https://asecuritysite.com/openssh/openssh5

Finding Your OpenSSH Private Keys

In you’re a developer you will probably know all about using your OpenSSH keys to log into remote sites for both SSH connections and for authentication. Many use it for GitHub integration, and thus to avoid having to continually enter login details. The main key types used, these days, are RSA (typically 2K or 4K keys), ECDSA and Ed25519. A typical command to generate the key pair is [here]:

$ ssh-keygen -t rsa -b 4096 -C "[email protected]"

and which will generate a 4,096-bit RSA key pair. We typically store the private key in the ./ssh folder, and which contains a public key in the form:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAXQMfdioW/ibO3rtEACYqplJjfYa2hSqQtfNIk4h
7Dah+IrHeiN0m8vr2ldkso2gqQpvxFArJZ2EAiRtMQVfeTyauhd5rk0x8H00AfQABJDq6grldiz
uYy5tCC7V2Fw==

It is this key that we load onto the server we wish to connect to. The private key typically has a PEM form:

-----BEGIN PRIVATE KEY-----
MIIB1QIBADANBgkqhkiG9w0BAQEFAASCAb8wggG7AgEAAl0DH3YqFv4mzt67RAAm
KqZSY32GtoUqkLXzSJOIew2ofiKx3ojdJvL69pXZLKNoKkKb8RQKyWdhAIkbTEFX
3k8mroXea5NMfB9NAH0AASQ6uoK5XYs7mMubQgu1dhcCAwEAAQJdAjrb+LAUaQe8
+cFTze0UeK48Ow5nxn4wvniriIA9v3vaMGJ0Hl6qkFO1qq76O+uvSehxPHnzBrfs
SXkQ8nScyeGpoTpn0DCnMnFRiY1hAMy6SqVdC4t7UP9u6oCBAi8B+POU6nCyUOnL
FlPVGFoBxSoxC7q7tJytq+xaPfGBN63AT3sdnXm06YAH1uE/1wIvAZVPf+1sDjIP
c4hFNPzIPh/x1M3qDN9eBr6tdPwymuPmpQ1lik/b9ZpMfXGns8ECLwDTVfcci+BF
tyP1i06jq4AUKg1u8E+BTxXs37YBOOOxDvpvCYMiln6eP6SITavvAi8A6n71d8rl
p6by4+uOjZXZA6hpw7zfN7hx1I4MugEZRjPiWI7f5/ZN8bjBdylcwQIvAQp1f9vQ
S+P5ktRlO7vEm10LtKotJ85Rp+le7PX56re+nntKVZFsliKW0yPmWJE=
-----END PRIVATE KEY-----

If this key was to be discovered, an intruder could access trusted areas. So, notice, we have “ — — — BEGIN PRIVATE KEY — — -” banner on the private key. So, on Linux and Mac OSX, how do we scan our system for these private keys. One method is proposed by CraigHRowland [here] as:

find / -maxdepth 5 -name .ssh -exec grep -rnw {} -e 'PRIVATE' \; 2> /dev/null

In a scan of my system is quickly finds the following keys:

~ % find / -maxdepth 5 -name .ssh -exec grep -rnw {} -e 'PRIVATE' \; 2> /dev/null
/Users/fred/.ssh/id_ecdsa:1:-----BEGIN OPENSSH PRIVATE KEY-----
/Users/fred/.ssh/id_ecdsa:9:-----END OPENSSH PRIVATE KEY-----
/Users/fred/.ssh/id_rsa:1:-----BEGIN OPENSSH PRIVATE KEY-----
/Users/fred/.ssh/id_rsa:27:-----END OPENSSH PRIVATE KEY-----

In this case, we just look for the .ssh folder, and then do a grep to determine if it contains the word of “PRIVATE”. It can thus be seen in the test run that I have a number of OpenSSH private keys. On your system you should not delete any of these, unless you know what you are doing, but should certainly know where they are (and set some restrictions on them).

Conclusions

Your private keys can be the keys to your castle … so look after them.