SSH known_hosts & Client Config

LinuxUser ActivityDisk Image

Location

/home/<username>/.ssh/known_hosts, /home/<username>/.ssh/config, /etc/ssh/ssh_config

Description

SSH client-side artifacts including known_hosts (recording host keys of every SSH server the user connected to), client config files (defining connection aliases, proxy commands, and identity files), and potentially SSH agent socket paths.

Forensic Value

The known_hosts file maps every SSH server a user has connected to, revealing lateral movement targets and external infrastructure. Hashed entries can be tested against known hosts using ssh-keygen -F. The SSH config file may reveal attacker-configured proxy jumps, tunnels, or custom identity key paths used for pivoting. Combined with auth.log entries on destination systems, known_hosts reconstructs the complete SSH lateral movement graph.

Tools Required

catssh-keygen -lFgrepfind

Collection Commands

find

find /home /root -name "known_hosts" -exec cp --parents {} /forensics/output/ \;

find

find /home /root -name "config" -path "*/.ssh/*" -exec cp --parents {} /forensics/output/ \;

cat

cat /etc/ssh/ssh_config /etc/ssh/sshd_config > /forensics/output/system_ssh_config.txt

grep

grep -rn "ProxyJump\|ProxyCommand\|LocalForward\|RemoteForward" /home/*/.ssh/config > /forensics/output/ssh_tunnels.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1021.004T1049T1078

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage