SSH backdoor infection
SSH backdoor infection
https://blog.thc.org/infecting-ssh-public-keys-with-backdoors
I am not a security expert and I wonder:
- Does the described method infect the remote or local machine (from which I connect)?
- Can this method be prevented? For example, correctly configuring your
etc/ssh/ssh_config
It seems that every VPS supplier can hack you? The description shows that AWS does "harmless", but what if my hosting is a bad actor?
If your hosting is a bad actor, you're screwed no matter what. Why bother with this when they have direct access to your disk and ram
You could turn off authorized key files, or lock them down. This isn't really a big security risk though, there's countless ways to backdoor a system once you have access to do this.
This just targets a remote account, not your local pc.
In that case, it seems to me that the only threat is the mindless copying of public keys to other servers, as described in the article. But who does so? Do admins not create separate private-public keys for each server?
Thank you for the explanation!
Most don't create new keys per server machine but that's not the issue. I don't bother, I create a key per client machine on my side.
Server gets compromised once, admin logs in and fixes it, admin logs in next time and the backdoor compromises it again.
That's all this is. If you can get in once, it's a spot you can leave a backdoor that many admins will miss. That's it.
Admins don't generally copy that whole file around, they usually copy and paste the lines they want. Also I generally copy and paste it from my workstation, not another server.
No separate keys, use certificates with proper SSH-CA and you’ll never share a key again. It’s not a new thing.