Risk Assessment Report
Prepared by SSH Communications Security
Hosts
A total of 22 hosts were scanned
during 2012-12-19 – 2020-12-19.
| Operating System |
Hosts |
Portion |
| Linux Red Hat Enterprise Linux Server release 5.3 (Tikanga) |
5 |
22.73% |
| Linux squeeze/sid |
4 |
18.18% |
| Linux Red Hat Enterprise Linux Server release 5.5 (Tikanga) |
3 |
13.64% |
| Linux Red Hat Enterprise Linux Server release 6.4 (Santiago) |
3 |
13.64% |
| Linux Kali Linux 1.0 |
2 |
9.09% |
| Linux Red Hat Enterprise Linux AS release 4 (Nahant Update 6) |
2 |
9.09% |
| Linux 5.0 |
1 |
4.55% |
| Linux 6.0.1 |
1 |
4.55% |
| Linux 6.0.2 |
1 |
4.55% |
| Total hosts |
22 |
100.00% |
Users
A total of 6 user accounts
allow public key authentication.
| User IDs with Authorized Keys |
Total |
Per Host |
| 0 (root) |
3 |
0.14 |
| 100-499 |
0 |
0.00 |
| 500- |
3 |
0.14 |
| Total users |
6 |
0.27 |
User Keys
A total of 9 private key files and
11 authorized keys were found,
amounting to 6 distinct key fingerprints.
| Key Disposition |
Keys |
Portion |
| Unknown private key |
1 |
16.67% |
| One private key file found |
3 |
50.00% |
| Multiple private key files found |
2 |
33.33% |
| Total distinct key fingerprints |
6 |
100.00% |
| Private Key Files |
Files |
Portion |
| Empty passphrase |
8 |
88.89% |
| Passphrase-protected |
1 |
11.11% |
| Total private keys |
9 |
100.00% |
| Authorized Keys (11 total) |
Number |
Portion |
| No forced command |
11 |
100.00% |
| No source restrictions |
11 |
100.00% |
| Unknown private key |
3 |
27.27% |
| Authorized Keys for Root (8 total) |
Number |
Portion |
| No forced command |
8 |
100.00% |
| No source restrictions |
8 |
100.00% |
| Unknown private key |
0 |
0.00% |
| Key Algorithm and Size |
Keys |
Portion |
| 2048-bit RSA |
2 |
33.33% |
| 2048-bit DSA |
1 |
16.67% |
| 1024-bit DSA |
3 |
50.00% |
| Totals keys |
6 |
100.00% |
| Key Age (by file timestamp) |
Files |
Portion |
| Older than 5 years |
0 |
0.00% |
| Older than 2 years but less than 5 |
1 |
11.11% |
| One year old |
6 |
66.67% |
| 6-12 months |
1 |
11.11% |
| 0-6 months |
1 |
11.11% |
| Total private keys |
9 |
100.00% |
The procedure used to scan for private keys was to examine all files
at the top level of ".ssh" and ".ssh2" in each user's home directory.
| Private Key Location |
Files |
Portion |
| .ssh |
9 |
100.00% |
| Total private keys |
9 |
100.00% |
To cast a wide net for authorized keys,
all of the standard locations for these were included in the scan,
in addition to any custom locations specified in the server configuration.
| Authorized Key Location |
Number |
Portion |
| .ssh/authorized_keys |
9 |
81.82% |
| .ssh/authorized_keys2 |
2 |
18.18% |
| Total authorized keys |
11 |
100.00% |
Host Keys
| Host Key Location |
Files |
Portion |
| /etc/ssh/ssh_host_dsa_key |
22 |
37.29% |
| /etc/ssh/ssh_host_ecdsa_key |
2 |
3.39% |
| /etc/ssh/ssh_host_key |
13 |
22.03% |
| /etc/ssh/ssh_host_rsa_key |
22 |
37.29% |
| Total host keys |
59 |
100.00% |
| Key Algorithm and Size |
Keys |
Portion |
| 256-bit ECDSA |
1 |
4.35% |
| 2048-bit RSA |
8 |
34.78% |
| 1024-bit RSA |
1 |
4.35% |
| 1024-bit DSA |
9 |
39.13% |
| 2048-bit RSA1 |
3 |
13.04% |
| 1024-bit RSA1 |
1 |
4.35% |
| Totals keys |
23 |
100.00% |
| Key Age (by file timestamp) |
Files |
Portion |
| Older than 5 years |
0 |
0.00% |
| Older than 2 years but less than 5 |
42 |
71.19% |
| One year old |
11 |
18.64% |
| 6-12 months |
0 |
0.00% |
| 0-6 months |
6 |
10.17% |
| Total private keys |
59 |
100.00% |
Reachability Analysis
The following tables report the results of an analysis of
how many hosts would be compromised, directly or indirectly,
by the compromise of any particular user key.
The first table considers a host to be compromised
when any user account is compromised.
The second table considers a host to be compromised
only when a root account (UID=0) is compromised.
In either case, the rules are as follows:
-
Compromising a key compromises all user accounts with a matching authorized key.
-
Compromising a user account that does not have a forced command
compromises all private keys of that user with an empty passphrase.
-
Compromising a root account that does not have a forced command
compromises all private keys with an empty passphrase for all users on that host .
| Top 5 Keys by Hosts Reached |
Hosts |
| b5:ba:89:f0:b5:ba:89:f0:b5:ba:89:f0:b5:ba:89:f0 |
3 |
| f6:ba:58:f0:b5:ba:89:0x:ff:1a:89:f0:b5:ba:bb:f0 |
3 |
| Top 5 Keys by Hosts Reached as Root |
Hosts |
| b5:ba:89:f0:b5:ba:89:f0:b5:ba:89:f0:b5:ba:89:f0 |
3 |
Software Versions
From among the 22 hosts scanned,
a total of 21 were found to be listening
for SSH connections on localhost:22.
These SSH servers reported their versions as follows.
The version string is of the form "SSH-protocolversion-softwareversion comments",
where the protocol version is normally "2.0" (or "1.99" for compatibility mode).
| SSH Server |
Hosts |
Portion |
| SSH-2.0-OpenSSH_6.0p1 Debian-4 |
2 |
9.52% |
| SSH-2.0-OpenSSH_5.5p1 Debian-6 |
1 |
4.76% |
| SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 |
3 |
14.29% |
| SSH-2.0-OpenSSH_5.3 |
3 |
14.29% |
| SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 |
1 |
4.76% |
| SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 |
1 |
4.76% |
| SSH-2.0-OpenSSH_4.3 |
8 |
38.10% |
| SSH-2.0-OpenSSH_3.9p1 |
2 |
9.52% |
| Total hosts listening on port 22 |
21 |
100.00% |
The "ssh" command was found on the path
for a total of 22 of 22 hosts.
The versions as reported by "ssh -V" were as follows:
| SSH Client |
Hosts |
Portion |
| OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 |
2 |
9.09% |
| OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 |
2 |
9.09% |
| OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 |
3 |
13.64% |
| OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009 |
3 |
13.64% |
| OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007 |
1 |
4.55% |
| OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 |
1 |
4.55% |
| OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 |
8 |
36.36% |
| OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 |
2 |
9.09% |
| Total hosts with "ssh" command |
22 |
100.00% |
OpenSSH Server Configuration
OpenSSH server configuration files were found
on 22 of the 22 hosts.
The following table summarizes the non-default directives found in these files.
Conditional directives (those following a Match directive) have been omitted.
To keep the table readable, only directives taking a numerical value
or a value from a fixed set of choices have been included.
In particular, all directives intended to specify a filename path
or a set of values have been omitted.
It is recommended that PermitRootLogin be set to "no" or "forced-commands-only".
A total of 22
of 22
configuration files specify a value of "yes" or "without-password".
| Configuration Directive |
Value |
Hosts |
| ChallengeResponseAuthentication |
no |
19 |
| ChallengeResponseAuthentication |
no no |
3 |
| ClientAliveCountMax |
0 |
1 |
| ClientAliveCountMax |
99999 0 |
2 |
| ClientAliveInterval |
30 300 |
2 |
| ClientAliveInterval |
300 |
1 |
| DSAAuthentication (nonstandard) |
no |
6 |
| GSSAPIAuthentication |
yes |
13 |
| IgnoreUserKnownHosts |
yes |
11 |
| LogLevel |
VERBOSE |
3 |
| MaxAuthTries |
4 |
3 |
| PrintMotd |
no |
9 |
| ServerKeyBits |
768 |
9 |
| SyslogFacility |
AUTHPRIV |
13 |
| UseDNS |
no |
9 |
| UsePAM |
yes |
22 |
| X11Forwarding |
yes |
22 |
User Trust Relationships
The following table summarizes the trust relationships between user accounts.
Each row describes the relationships found for the user named in the first column,
who has private keys on the number of hosts given in the second column.
These private keys collectively provide access to a set of user accounts
with corresponding authorized keys.
The user names for these accounts are listed in the third column,
and the number of hosts involved is given in the fourth column.
User names for UIDs from 100 upwards have been anonymized
by replacing them with names like u1, u2, u3, etc.
| From User |
From Hosts |
To Users |
To Hosts |
| UNKNOWN |
|
u1 |
3 |
| root |
1 |
root |
3 |