Does server capable to read public key other than default authorized_keys? I have a linux based server managed with more than one admin. One of them have resigned from the company. I'm having a thought that he may have added something like backdoor access. Just to be sure if this possible. Thanks.
Asked
Active
Viewed 46 times
1
Zaim
- 113
- 4
2 Answers
2
While to some extent you have to trust people, if you do not trust this person you can activate a security incident response plan. Take a comprehensive approach as suggested in the canonical question regarding How do I deal with a compromised server?
From the sshd manual note that the AuthorizedKeysFile directive can change the file for user's public keys for auth. Just looking at this is not sufficient on a compromised host, as they can just as easily run a different hidden sshd or other malware.
John Mahowald
- 30,009
- 1
- 17
- 32
1
First of all, if someone is knowledgeable and unscrupulous, and has had full access to a machine, you can't completely guarantee that the machine isn't compromised.
That said, if you just want to check for a couple of simple things related to your question:
- Check the sshd config (likely
/etc/ssh/sshd_config), to see if it contains multiple values forAuthorizedKeysFile. - If you still have the user's original
~/.ssh/authorized_keys, grep the other home directories for the same key values to confirm they didn't simply append their key to that of another user account with administrative access to the server. - Run
visudo, and also check your/etc/passwdto search for unexpected privileges and user accounts.
Mikael H
- 4,868
- 2
- 8
- 15