SSH authorized_keys

LinuxPersistence MechanismsDisk Image

Location

/home/<username>/.ssh/authorized_keys and /root/.ssh/authorized_keys

Description

Per-user files listing public keys authorized for SSH key-based authentication. Each entry contains the key type, public key material, and an optional comment field.

Forensic Value

Adding a public key to authorized_keys is a common persistence technique that allows the attacker to return via SSH without a password, bypassing credential rotation. Comparing key fingerprints against known-good keys identifies attacker-added keys. The comment field may contain attacker-identifiable information. Also check for forced-command entries that execute specific binaries on connection, which can serve as hidden backdoors.

Tools Required

catssh-keygen -lfinddiff

Collection Commands

find

find /home /root -name "authorized_keys" -exec cp --parents {} /forensics/output/ \;

find

find /home /root -name "authorized_keys" -exec ssh-keygen -l -f {} \; > /forensics/output/key_fingerprints.txt

tar

tar czf /forensics/output/ssh_dirs.tar.gz /home/*/.ssh/ /root/.ssh/

stat

find /home /root -name "authorized_keys" -exec stat {} \; > /forensics/output/authkeys_timestamps.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1098.004T1021.004T1078

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage