SSH Daemon Configuration & Host Keys

Location

Common Names

Description

OpenSSH daemon configuration files and server host keys that define listener ports, permitted authentication methods, Match blocks, allowlists, and the cryptographic identity of the host.

Forensic Value

Reviewing sshd configuration reveals whether password auth, root login, authorized keys commands, TCP forwarding, or custom Match rules were changed to support persistence or covert access. Host-key changes can indicate system rebuilds, attacker cloning, or post-compromise tampering designed to defeat host identity checks. Combined with auth logs and authorized_keys evidence, these files establish both how the host exposed SSH access and whether that exposure changed during the incident.

Tools Required

Collection Commands

sshd -T > /forensics/output/sshd_effective_config.txt

find /etc/ssh -maxdepth 2 -type f \( -name "sshd_config*" -o -name "ssh_host_*" \) -exec cp --parents {} /forensics/output/ \;

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub > /forensics/output/ssh_hostkey_fingerprints.txt 2>/dev/null

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Packaging, include paths, and key algorithms vary by distribution and OpenSSH version. Container images and minimal builds may omit host keys or regenerate them at boot.

MITRE ATT&CK Techniques

References