SSH Probe
The ssh probe examines your SSH configuration files and private keys for security issues.
| Check | Finding ID | Severity | Description |
|---|---|---|---|
| Host Key Checking | ssh-strict-host-key-checking-disabled | High | StrictHostKeyChecking=no |
| Known Hosts | ssh-known-hosts-disabled | High | UserKnownHostsFile=/dev/null |
| Agent Forwarding | ssh-forward-agent-enabled | Medium | ForwardAgent=yes |
| Key Permissions | ssh-key-insecure-permissions | High | Private key not 0600 |
| Unencrypted Keys | ssh-private-key-* | Critical/Low | Detected by SSH key detector |
~/.ssh/config~/.ssh/*.key,~/.ssh/id_*- Platform-specific SSH config locations
Severity: High
SSH config disables host key verification (StrictHostKeyChecking=no). This makes you vulnerable to man-in-the-middle attacks when connecting to SSH servers.
Remediation:
Remove or change the setting in your SSH config (~/.ssh/config):
# Change from:
Host *
StrictHostKeyChecking no
# To:
Host *
StrictHostKeyChecking ask
Or remove the line entirely to use the default (ask).
Severity: High
SSH config disables the known_hosts file by pointing it to /dev/null (or nul on Windows). This prevents SSH from verifying host keys.
Remediation:
Remove the UserKnownHostsFile directive or set it to the default:
# Remove this line:
UserKnownHostsFile /dev/null
# Or use default location:
UserKnownHostsFile ~/.ssh/known_hosts
Severity: Medium
SSH agent forwarding is enabled (ForwardAgent=yes). This can be a security risk if you connect to untrusted hosts, as they could use your forwarded keys to authenticate to other servers.
Remediation:
Disable agent forwarding globally and enable only for specific trusted hosts:
# Disable globally
Host *
ForwardAgent no
# Enable only for trusted hosts
Host trusted-jumpbox.example.com
ForwardAgent yes
Better alternatives to agent forwarding:
- Use
ProxyJump(-J) for jump hosts - Use
ssh-add -cto require confirmation for key usage
Severity: High
SSH private key has overly permissive file permissions. SSH keys should only be readable by the owner (permissions 0600 or 0400).
Remediation:
macOS/Linux:
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519
# Or for all private keys:
chmod 600 ~/.ssh/id_*
chmod 600 ~/.ssh/*.key
Windows: Windows uses ACLs instead of Unix permissions. Ensure the key file is only readable by your user account:
- Right-click the key file -> Properties
- Security tab -> Advanced
- Disable inheritance
- Remove all permissions except your user account
- Your user should have Read permission only
Note: This check is skipped on Windows, which uses ACLs instead of Unix permission bits.
Severity: Critical (unencrypted) / Low (encrypted)
The SSH probe uses the SSH Private Key Detector to identify private keys and determine if they are encrypted.
Remediation:
Add a passphrase to your SSH key:
# Add passphrase to existing key
ssh-keygen -p -f ~/.ssh/id_rsa
# When prompted, enter a strong passphrase
Consider using ssh-agent to avoid entering your passphrase repeatedly:
# Start ssh-agent
eval $(ssh-agent)
# Add key (will prompt for passphrase once)
ssh-add ~/.ssh/id_rsa
Use Ed25519 keys - More secure and faster than RSA
ssh-keygen -t ed25519 -C "your_email@example.com"Always use passphrases - Protects keys if your disk is compromised
Use ssh-agent - Caches decrypted keys in memory with timeout
ssh-add -t 3600 ~/.ssh/id_ed25519 # 1 hour timeout
Or use your OS’s keychain integration, TPM or hardware tokens (YubiKey, etc.) for increased protection.
Avoid agent forwarding - Use ProxyJump instead
ssh -J jumphost.example.com finalhost.example.comReview known_hosts regularly - Remove entries for decommissioned servers