Sandfly Blog

Secure Shell (SSH) is a cornerstone of Linux system administration, enabling secure remote access to servers through encrypted communication. However, SSH keys, if not properly managed, can expose organizations to significant security risks. In the webinar and accompanying white paper, we go over the risks of SSH to Linux infrastructure in terms of lateral movement and other attacks.

White Paper: Protecting Linux from SSH Key Risks

Risks Associated with SSH Keys

SSH keys are prone to several vulnerabilities that can lead to immediate lateral movement risk on Linux. These topics are covered in the video and white paper linked above:

• Theft of Private Keys: Unencrypted private keys can be stolen from compromised systems, allowing attackers to authenticate to other servers without detection. Even encrypted keys may be vulnerable to offline decryption if passphrases are weak.
• Orphaned or Outdated Entries: Residual keys in authorized_keys files, left from former employees or decommissioned users, can provide unintended access if not removed.
• Weak Configurations: Misconfigured SSH settings—such as port forwarding or outdated encryption standards—can weaken defenses and allow attackers to bypass network controls.
• Unauthorized Key Insertion: Malicious actors may add their own public keys to authorized_keys files, establishing persistent backdoor access.

These risks are amplified by attackers who use straightforward techniques, such as searching for private keys to exploit poorly managed systems.

How Attackers Exploit SSH Keys

A typical attack begins with the compromise of a single host. From there, attackers extract private SSH keys and analyze files like known_hosts or command histories to identify additional targets. Using stolen credentials, they move laterally across the network, often evading traditional security controls due to the legitimacy of their access. Attackers with stolen SSH keys can quickly and quietly spread to critical systems without alerting security teams.

Sandfly's SSH Hunter Finds Threats

To address these vulnerabilities, Sandfly's agentless Linux security platform incorporates multiple detection mechanisms:

• Inventory and Monitoring: Sandfly tracks SSH keys across all systems—by user, host, and usage history—to identify unauthorized or obsolete entries.
• Access Control Zoning: SSH Security Zones create critical areas (e.g., production environments) and restrict key usage to authorized personnel, with alerts for violations.
• Configuration Auditing: Sandfly routinely checks authorized_keys files and SSH server settings for anomalies, such as excessive keys or risky options like unrestricted port forwarding or malicious commands.
• Encryption Enforcement: Sandfly checks for unencrypted private keys in user directories and sensitive locations, enforcing passphrase protection where encryption is feasible. Sandfly can also identify legacy weak keys that need to be rotated to modern security levels.
• Integration with Monitoring Tools: Sandfly can send SSH security data to existing systems (e.g., SIEM platforms) to improve visibility and enable rapid response to anomalies.

Business Impacts

For organizations, SSH key management extends beyond technical operations—it directly impacts data security, operational continuity, and regulatory compliance. Weaknesses in this area can lead to breaches, downtime, or penalties, making it a priority for enterprise risk management. Consistent policies and cross-platform enforcement are critical, particularly in environments spanning cloud, on-premise, and embedded systems. Sandfly works across all these systems with one unified solution, and without the risk of deploying endpoint agents.

Learn More in the Webinar

Please see the webinar above where we have live demonstrations of SSH risks discussed here and more. Also, please see the white paper that details SSH risks and how to monitor and address them. Please reach out if you have any questions about how Sandfly can help secure your Linux SSH infrastructure against these risks.