Future Hosting, a global managed server hosting
provider, has warned server hosting clients not to upload private SSH
keys to production servers. The warning was prompted by a rapid increase
in the number of malicious scans that attempt to discover accidentally
uploaded SSH keys (as reported by WordFence on October 18, 2017).
If SSH private keys fall into the hands of
malicious third parties, they can be used to compromise servers and the
data stored on them. Private keys can be accidentally uploaded to the
publicly accessible directories of web servers, and it is trivially easy
for a malicious third-party to scan for private keys in those
directories.
Future Hosting advises server hosting clients
to use passphrases with their SSH key pairs. Using passphrases may be
inconvenient, but a key pair with a passphrase is useless to an attacker
even if the private key is made public.
"SSH keys are more secure than password
authentication, but they're only secure if server hosting clients keep
the private key safe," said Maulesh Patel, VP of Operations of Future
Hosting, "It's unfortunately common for private keys to be uploaded to
servers. We'd like to raise awareness of this issue to help server
administrators and developers understand the risk and take steps to keep
private keys out of the hands of criminals."
SSH is a secure protocol used to access the
servers that host web sites and applications. A password can be used to
log in to a server with SSH, but key-based authentication is more
secure. A user generates a key pair, which includes a public and a
private key. The public key is uploaded to the server. The private key
should be stored securely on the user's devices.
If the private key is accidentally uploaded to
a public directory or to a version control system, it may be discovered
by an attacker and used to gain access to the server and any other
server that uses the same key pair for authentication.