SSH Excessive Keys Risk - Do You Have Too Many SSH Keys?

Do you have too many SSH keys on Linux? Probably. Having too many SSH keys on Linux accounts presents a credential theft and backdoor risk. Besides not knowing who can login with an account that has too many SSH keys on it, it can also hide backdoor keys placed there by hackers. In this video we discuss the risk and how to see it with command line tools on Linux as well as with agentless Sandfly as an EDR.

It is not uncommon to find orphan keys in SSH authorized_keys that people no longer use, but we've also seen key managers leave behind credentials that weren't supposed to remain. Finally, we've seen malware insert duplicate keys over and over as it re-infects hosts for persistence backdoors. We highly recommend checking your systems for excessive keys and working with users to reduce their numbers where you find them.

Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Get your free license today or contact us for more information.