View Other Properties

Contents

View Other Properties

How to List SSH Keys Across All Mac and Linux Devices

Using Kolide, you can easily view and query SSH Keys across your fleet.

Introduction

SSH keys are a crucial piece of secure shell access to remote computers. An SSH key has 2 parts: a private key and a public key. The private key should be encrypted and kept secret, the public key may be distributed to allow secure access to remote computers.

What SSH Key Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect SSH Keys from Mac and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

SSH Keys Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

bits Bigint

The strength of the encryption in bits

Special Values:

  • NULL - Either the key is not encrypted and this field is not applicable, or the encryption strength could not be determined
encrypted Boolean

true if the key appears to be encrypted, otherwise false

file_created_at Timestamp

The timestamp when the file was first written to disk

fingerprint_md5 Text

The MD5 fingerprint of the SSH key pair

fingerprint_sha256 Text

The sha256 fingerprint of the SSH key pair

key_type Text

The format of SSH key determined by a set of decoding heuristics. Ex: ssh-rsa, ssh-ed25519, ssh-dss, etc.

path Text

The path to the SSH private key file

uid Text

The local user that owns the key file

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find unencrypted SSH keys across devices
Kolide SQL
SELECT 
  device_name,
  path, 
  encrypted
FROM device_user_ssh_keys 
WHERE encrypted = FALSE;
Example Results
path encrypted device_name
/Users/jack/.ssh/jack-slash-dev.pem false dover
/Users/brittany/.ssh/aws-us-east-prod-2 false Brits-MacBook-Pro
/Users/newt/.ssh/gcp-staging-cluster-1 false flame
C:\Users\Christopher\.sshrimstone-access false balthazar
/Users/costas/.ssh/id_rsa false Sparta-MacBook-Pro
/Users/bruce/.ssh/id_rsa.pub.pem false batman
/Users/frank/.ssh/aws-prod-us-east-ec2 false frank-imac
Find duplicate SSH keys in your environment
Kolide SQL
WITH
kolide_ssh_keys AS (
 SELECT * FROM device_user_ssh_keys),
distinct_ssh_keys AS (
 SELECT
   SPLIT_PART(MAX(path),'.ssh/',2) AS max_key_name,
   array_to_string(array_agg(device_id), ',') AS device_id_csv,
   fingerprint_md5,
   COUNT(fingerprint_md5) AS count_md5
 FROM kolide_ssh_keys GROUP BY fingerprint_md5)
SELECT
dissh.*
FROM distinct_ssh_keys dissh
WHERE count_md5 > 1
ORDER BY count_md5 DESC
Example Results
count_md5 max_key_name device_id_csv fingerprint_md5
5 github_rsa 38774,135887,135848,135231,60435 7a546e645420c098740cad7dcbd44823
4 id_rsa 135231,135887,135848,60435 f0c55a183bb65745dee1ed91b5f05235
3 id_rsaunen 135250,85374,97717 7d8aa2ebb48c928a49e5137d3ce7ac4b
3 id_rsa2 85374,135250,97717 778cbc0293bda223a0b893f6af9a0e16
3 id_ed25519 87467,136930,136528 6e010794a2f8cb3d02f3f26bc962f71f
SSH Keys by key type and encryption status
Kolide SQL
SELECT key_type, encrypted, COUNT(*) AS frequency
FROM device_user_ssh_keys
GROUP BY key_type, encrypted
Example Results
key_type encrypted frequency
ssh-ed25519 true 19
ssh-rsa false 31
ssh-rsa true 81
(NULL) false 1

Why Should I Collect SSH Keys?

SSH keys give access to potentially the most sensitive pieces of an organization's infrastructure. Cataloging and tracking SSH keys allows IT and Security admins to:

  • Find reused keys across devices
  • Identify unencrypted keys that are vulnerable to theft by malware or malicious actors
  • Locate sensitive keys that should not be present on a given device

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

The contents of the private SSH keys are never collected, only metadata about them. It is possible that you would have keys for personal reasons, but it is very unlikely that any information beyond key name would contain personal or sensitive information.

When you use Kolide to list SSH Key data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Certificates
identity, security, trust
New
NPM Packages
developers, software, packages
New
Mac Kernel Extensions
kernel, security, stability, extensions
View full list of Kolide's Device Properties
Book A Demo
Book A Demo