Future Hosting, a global managed server hosting provider, has warned server hosting clients not to upload private SSH keys to production servers. The warning was prompted by a rapid increase in the number of malicious scans that attempt to discover accidentally uploaded SSH keys (as reported by WordFence on October 18, 2017).

If SSH private keys fall into the hands of malicious third parties, they can be used to compromise servers and the data stored on them. Private keys can be accidentally uploaded to the publicly accessible directories of web servers, and it is trivially easy for a malicious third-party to scan for private keys in those directories.

Future Hosting advises server hosting clients to use passphrases with their SSH key pairs. Using passphrases may be inconvenient, but a key pair with a passphrase is useless to an attacker even if the private key is made public.

"SSH keys are more secure than password authentication, but they're only secure if server hosting clients keep the private key safe," said Maulesh Patel, VP of Operations of Future Hosting, "It's unfortunately common for private keys to be uploaded to servers. We'd like to raise awareness of this issue to help server administrators and developers understand the risk and take steps to keep private keys out of the hands of criminals."

SSH is a secure protocol used to access the servers that host web sites and applications. A password can be used to log in to a server with SSH, but key-based authentication is more secure. A user generates a key pair, which includes a public and a private key. The public key is uploaded to the server. The private key should be stored securely on the user's devices.

If the private key is accidentally uploaded to a public directory or to a version control system, it may be discovered by an attacker and used to gain access to the server and any other server that uses the same key pair for authentication.