Risk Assessment Report
Prepared by SSH Communications Security
Hosts
A total of 57 hosts were scanned
during 2013-04-29 – 2013-04-29.
Operating System |
Hosts |
Portion |
Linux SUSE Linux Enterprise Server 10 (x86_64) |
8 |
14.04% |
Linux SUSE Linux Enterprise Server 11 (i586) |
8 |
14.04% |
Linux SUSE Linux Enterprise Server 10 (i586) |
7 |
12.28% |
Linux SUSE Linux Enterprise Server 11 (x86_64) |
7 |
12.28% |
Linux CentOS Linux release 6.0 (Final) |
5 |
8.77% |
Linux CentOS release 6.2 (Final) |
4 |
7.02% |
Linux Red Hat Enterprise Linux Server release 5 (Tikanga) |
4 |
7.02% |
Linux CentOS release 6.3 (Final) |
3 |
5.26% |
Linux CentOS release 5.6 (Final) |
2 |
3.51% |
Linux Oracle Linux Server release 6.3 |
2 |
3.51% |
SunOS 5.10 |
2 |
3.51% |
AIX 5.3 |
1 |
1.75% |
Darwin 10.8.3 |
1 |
1.75% |
HP-UX B.11.23 |
1 |
1.75% |
Linux Red Hat Enterprise Linux Server release 6.1 (Santiago) |
1 |
1.75% |
Linux wheezy/sid |
1 |
1.75% |
Total hosts |
57 |
100.00% |
Users
A total of 150 user accounts
allow public key authentication.
User IDs with Authorized Keys |
Total |
Per Host |
0 (root) |
43 |
0.75 |
9 |
1 |
0.02 |
11 |
1 |
0.02 |
12 |
1 |
0.02 |
100-499 |
9 |
0.16 |
500- |
95 |
1.67 |
Total users |
150 |
2.63 |
User Keys
A total of 421 private key files and
927 authorized keys were found,
amounting to 1063 distinct key fingerprints.
Key Disposition |
Keys |
Portion |
Unknown private key |
704 |
66.23% |
One private key file found |
328 |
30.86% |
Multiple private key files found |
31 |
2.92% |
Total distinct key fingerprints |
1063 |
100.00% |
Private Key Files |
Files |
Portion |
Empty passphrase |
405 |
96.20% |
Passphrase-protected |
13 |
3.09% |
Unable to analyze |
3 |
0.71% |
Total private keys |
421 |
100.00% |
Authorized Keys (927 total) |
Number |
Portion |
No forced command |
904 |
97.52% |
No source restrictions |
833 |
89.86% |
Unknown private key |
801 |
86.41% |
Authorized Keys for Root (688 total) |
Number |
Portion |
No forced command |
683 |
99.27% |
No source restrictions |
650 |
94.48% |
Unknown private key |
677 |
98.40% |
Key Algorithm and Size |
Keys |
Portion |
256-bit ECDSA |
1 |
0.09% |
10240-bit RSA |
1 |
0.09% |
8000-bit RSA |
1 |
0.09% |
7000-bit RSA |
1 |
0.09% |
4096-bit RSA |
4 |
0.38% |
3072-bit RSA |
4 |
0.38% |
2048-bit RSA |
828 |
77.89% |
1024-bit RSA |
191 |
17.97% |
4096-bit DSA |
1 |
0.09% |
3072-bit DSA |
1 |
0.09% |
2048-bit DSA |
7 |
0.66% |
1024-bit DSA |
22 |
2.07% |
2048-bit RSA1 |
1 |
0.09% |
Totals keys |
1063 |
100.00% |
Key Age (by file timestamp) |
Files |
Portion |
Older than 5 years |
0 |
0.00% |
Older than 2 years but less than 5 |
0 |
0.00% |
One year old |
34 |
8.08% |
6-12 months |
73 |
17.34% |
0-6 months |
314 |
74.58% |
Total private keys |
421 |
100.00% |
The procedure used to scan for private keys was to examine all files
at the top level of ".ssh" and ".ssh2" in each user's home directory.
Private Key Location |
Files |
Portion |
.ssh |
385 |
91.45% |
.ssh2 |
36 |
8.55% |
Total private keys |
421 |
100.00% |
To cast a wide net for authorized keys,
all of the standard locations for these were included in the scan,
in addition to any custom locations specified in the server configuration.
Authorized Key Location |
Number |
Portion |
.ssh/authorized_keys |
715 |
77.13% |
.ssh/authorized_keys2 |
2 |
0.22% |
.ssh2/authorization |
194 |
20.93% |
.ssh2/authorized_keys |
6 |
0.65% |
/opt/ssh_keys/%u/.ssh/authorized_keys |
10 |
1.08% |
Total authorized keys |
927 |
100.00% |
Host Keys
Host Key Location |
Files |
Portion |
/etc/opt/quest/ssh/ssh_host_dsa_key |
3 |
1.53% |
/etc/opt/quest/ssh/ssh_host_key |
2 |
1.02% |
/etc/opt/quest/ssh/ssh_host_rsa_key |
3 |
1.53% |
/etc/opt/ssh/ssh_host_dsa_key |
1 |
0.51% |
/etc/opt/ssh/ssh_host_key |
1 |
0.51% |
/etc/opt/ssh/ssh_host_rsa_key |
1 |
0.51% |
/etc/ssh/ssh_host_dsa_key |
54 |
27.55% |
/etc/ssh/ssh_host_ecdsa_key |
1 |
0.51% |
/etc/ssh/ssh_host_key |
51 |
26.02% |
/etc/ssh/ssh_host_rsa_key |
54 |
27.55% |
/etc/ssh2/hostkey |
21 |
10.71% |
/etc/ssh_host_dsa_key |
1 |
0.51% |
/etc/ssh_host_ecdsa_key |
1 |
0.51% |
/etc/ssh_host_key |
1 |
0.51% |
/etc/ssh_host_rsa_key |
1 |
0.51% |
Total host keys |
196 |
100.00% |
Key Algorithm and Size |
Keys |
Portion |
256-bit ECDSA |
2 |
1.18% |
2048-bit RSA |
43 |
25.29% |
1536-bit RSA |
19 |
11.18% |
1024-bit RSA |
5 |
2.94% |
768-bit RSA |
1 |
0.59% |
2048-bit DSA |
7 |
4.12% |
1024-bit DSA |
45 |
26.47% |
2048-bit RSA1 |
34 |
20.00% |
1024-bit RSA1 |
14 |
8.24% |
Totals keys |
170 |
100.00% |
Key Age (by file timestamp) |
Files |
Portion |
Older than 5 years |
3 |
1.53% |
Older than 2 years but less than 5 |
5 |
2.55% |
One year old |
76 |
38.78% |
6-12 months |
22 |
11.22% |
0-6 months |
90 |
45.92% |
Total private keys |
196 |
100.00% |
Reachability Analysis
The following tables report the results of an analysis of
how many hosts would be compromised, directly or indirectly,
by the compromise of any particular user key.
The first table considers a host to be compromised
when any user account is compromised.
The second table considers a host to be compromised
only when a root account (UID=0) is compromised.
In either case, the rules are as follows:
-
Compromising a key compromises all user accounts with a matching authorized key.
-
Compromising a user account that does not have a forced command
compromises all private keys of that user with an empty passphrase.
-
Compromising a root account that does not have a forced command
compromises all private keys with an empty passphrase for all users on that host .
Top 5 Keys by Hosts Reached |
Hosts |
25:54:b2:39:9a:e6:7d:4b:78:23:69:5b:58:2e:ed:7e |
10 |
fe:66:09:fb:83:84:52:88:81:58:66:bd:5c:5a:71:1b |
8 |
fe:2a:e6:49:d4:df:d8:c2:8b:84:fc:75:d0:33:37:c6 |
8 |
f9:5b:2e:79:38:14:b0:b5:7b:54:d5:21:0b:d3:18:cc |
8 |
f5:e9:f0:0c:3a:63:05:70:22:ee:78:44:59:ad:f1:65 |
8 |
Top 5 Keys by Hosts Reached as Root |
Hosts |
25:54:b2:39:9a:e6:7d:4b:78:23:69:5b:58:2e:ed:7e |
7 |
f5:e9:f0:0c:3a:63:05:70:22:ee:78:44:59:ad:f1:65 |
6 |
fe:2a:e6:49:d4:df:d8:c2:8b:84:fc:75:d0:33:37:c6 |
4 |
fc:7d:60:70:f9:fb:c0:5b:d3:96:bc:89:f0:79:19:77 |
4 |
f2:03:a6:79:69:c8:29:d4:6f:b9:45:7a:37:28:e1:41 |
4 |
Software Versions
From among the 57 hosts scanned,
a total of 57 were found to be listening
for SSH connections on localhost:22.
These SSH servers reported their versions as follows.
The version string is of the form "SSH-protocolversion-softwareversion comments",
where the protocol version is normally "2.0" (or "1.99" for compatibility mode).
SSH Server |
Hosts |
Portion |
SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 |
1 |
1.75% |
SSH-2.0-OpenSSH_5.9 |
1 |
1.75% |
SSH-2.0-OpenSSH_5.3 |
11 |
19.30% |
SSH-2.0-OpenSSH_5.2p1_q17.gM-hpn13v6 |
3 |
5.26% |
SSH-2.0-OpenSSH_5.1 |
8 |
14.04% |
SSH-2.0-OpenSSH_5.0 |
1 |
1.75% |
SSH-2.0-OpenSSH_4.3 |
5 |
8.77% |
SSH-2.0-OpenSSH_4.2 |
2 |
3.51% |
SSH-2.0-6.4.0.240 SSH Tectia Server |
1 |
1.75% |
SSH-2.0-6.3.5.96 SSH Tectia Server |
1 |
1.75% |
SSH-2.0-6.3.5.93 SSH Tectia Server |
2 |
3.51% |
SSH-2.0-6.3.5.81 SSH Tectia Server |
1 |
1.75% |
SSH-2.0-6.3.4.24 SSH Tectia Server |
2 |
3.51% |
SSH-2.0-6.3.3.81 SSH Tectia Server |
3 |
5.26% |
SSH-2.0-6.3.2.33 SSH Tectia Server |
1 |
1.75% |
SSH-2.0-6.3.0.76 SSH Tectia Server |
2 |
3.51% |
SSH-2.0-6.2.4.237 SSH Tectia Server |
2 |
3.51% |
SSH-1.99-OpenSSH_4.2 |
10 |
17.54% |
Total hosts listening on port 22 |
57 |
100.00% |
The "ssh" command was found on the path
for a total of 55 of 57 hosts.
The versions as reported by "ssh -V" were as follows:
SSH Client |
Hosts |
Portion |
ssh: Tectia Client 6.3.4 on x86_64-unknown-linux-gnu |
1 |
1.82% |
Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f |
1 |
1.82% |
OpenSSH_6.1p1, OpenSSL 0.9.8r 8 Feb 2011 |
1 |
1.82% |
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012 |
1 |
1.82% |
OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7, OpenSSL 0.9.8n 24 Mar 2010 |
1 |
1.82% |
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 |
15 |
27.27% |
OpenSSH_5.2p1_q17.gM-hpn13v6, OpenSSL 0.9.8o 01 Jun 2010 |
3 |
5.45% |
OpenSSH_5.1p1, OpenSSL 0.9.8j-fips 07 Jan 2009 |
2 |
3.64% |
OpenSSH_5.1p1, OpenSSL 0.9.8h 28 May 2008 |
3 |
5.45% |
OpenSSH_5.1p1, OpenSSL 0.9.8e 23 Feb 2007 |
8 |
14.55% |
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008 |
1 |
1.82% |
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 |
2 |
3.64% |
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 |
3 |
5.45% |
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005 |
13 |
23.64% |
Total hosts with "ssh" command |
55 |
100.00% |
OpenSSH Server Configuration
OpenSSH server configuration files were found
on 53 of the 57 hosts.
Additionally, Quest OpenSSH server configuration files were found
on 3 of the 57 hosts
(not necessarily different ones).
The following table summarizes the non-default directives found in these files.
Conditional directives (those following a Match directive) have been omitted.
To keep the table readable, only directives taking a numerical value
or a value from a fixed set of choices have been included.
In particular, all directives intended to specify a filename path
or a set of values have been omitted.
It is recommended that PermitRootLogin be set to "no" or "forced-commands-only".
A total of 55
of 56
configuration files specify a value of "yes" or "without-password".
Configuration Directive |
Value |
Hosts |
AllowTcpForwarding |
no |
1 |
ChallengeResponseAuthentication |
no |
22 |
GSSAPIAuthentication |
yes |
23 |
KeepAlive (nonstandard) |
yes |
1 |
LogLevel |
INFO |
1 |
LogLevel |
VERBOSE |
33 |
LoginGraceTime |
600 |
1 |
MaxAuthTries |
10 |
1 |
MaxAuthTries |
8 |
1 |
MaxAuthTriesLog (nonstandard) |
3 |
1 |
PAMAuthenticationViaKBDInt (nonstandard) |
yes |
1 |
PasswordAuthentication |
no |
3 |
PermitRootLogin |
no |
1 |
Port |
222 |
12 |
PrintMotd |
no |
2 |
RhostsAuthentication (nonstandard) |
no |
1 |
ServerKeyBits |
768 |
2 |
SyslogFacility |
AUTH |
1 |
SyslogFacility |
AUTHPRIV |
22 |
SyslogFacility |
INFO |
1 |
UsePAM |
yes |
51 |
X11Forwarding |
yes |
52 |
User Trust Relationships
The following table summarizes the trust relationships between user accounts.
Each row describes the relationships found for the user named in the first column,
who has private keys on the number of hosts given in the second column.
These private keys collectively provide access to a set of user accounts
with corresponding authorized keys.
The user names for these accounts are listed in the third column,
and the number of hosts involved is given in the fourth column.
User names for UIDs from 100 upwards have been anonymized
by replacing them with names like u1, u2, u3, etc.
From User |
From Hosts |
To Users |
To Hosts |
UNKNOWN |
|
as, operator, pytafroot, root, u02, u03, u04, u05, u06, u07, u08, u10, u13, u17, u18, u19, u21, u23, u24, u25, u27, u28, u31, u33, u34, u37, u38, u39, u46, u48, u49, u51, u52, u54, u56, u59, u61, u62, u63, u64, u66 |
51 |
man |
1 |
games, news, operator, root |
3 |
root |
7 |
games, news, operator, root, u21, u29, u37, u66 |
10 |
u06 |
2 |
u38 |
2 |
u09 |
3 |
u02, u43 |
3 |
u12 |
1 |
u33 |
1 |
u14 |
3 |
u01, u02, u43, u45 |
3 |
u16 |
1 |
u16 |
1 |
u19 |
1 |
u19, u48 |
1 |
u20 |
3 |
u41, u43, u45 |
3 |
u21 |
2 |
u10, u30 |
2 |
u22 |
3 |
u01, u02, u35, u43, u45 |
3 |
u25 |
1 |
u66 |
1 |
u32 |
1 |
u60 |
1 |
u34 |
1 |
u34 |
1 |
u36 |
3 |
u41, u45, u50, u63 |
3 |
u37 |
4 |
root, u10, u21, u37, u42 |
6 |
u38 |
2 |
u06 |
2 |
u39 |
2 |
u39, u64 |
2 |
u40 |
1 |
u54, u63 |
1 |
u44 |
2 |
root, u08, u26, u44 |
3 |
u46 |
1 |
u46 |
1 |
u48 |
2 |
games, news, operator, root, u48 |
4 |
u53 |
2 |
u41, u50 |
2 |
u55 |
1 |
u11 |
1 |
u57 |
3 |
u45, u47 |
3 |
u58 |
2 |
u41, u45 |
2 |
u64 |
1 |
u39, u64 |
2 |
u65 |
4 |
u15, u41, u45, u50 |
4 |