SSH authorized_keys

linuxPersistence MechanismsDisk Image

Location

/home/<username>/.ssh/authorized_keys and /root/.ssh/authorized_keys

Description

Per-user files listing public keys authorized for SSH key-based authentication. Each entry contains the key type, public key material, and an optional comment field.

Forensic Value

Adding a public key to authorized_keys is a common persistence technique that allows the attacker to return via SSH without a password, bypassing credential rotation. Comparing key fingerprints against known-good keys identifies attacker-added keys. The comment field may contain attacker-identifiable information. Also check for forced-command entries that execute specific binaries on connection, which can serve as hidden backdoors.

Tools Required

catssh-keygen -lfinddiff

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical