Monitoring HPC Systems against Compromised SSH

Secure Shell is a very well established cryptographic network protocol for accessing operating network services and is the typical way to access high-performance computing (HPC) systems in preference to various unsecured remote shell protocols, such as rlogin, telnet, and ftp. SSH can be managed through configuration files and with passwordless SSH key-pairs easily automated in scripts. Despite the justified popularity and engineering excellence of SSH, in May 2020 multiple HPC centres across Europe found themselves subject to cyber-attacks via compromised SSH credentials. Based at experiences at the University of Melbourne HPC, it is possible at a system level using ssh-keygen to script a search to detect all keys with an empty password even when they are named differently with additional complexity required when parsing non-standard directories and configuration files. This is far more elegant than conducting a grep for MII and similar techniques which is commonly suggested. A further alternative is a test making direct use of libssh headers. This however, will require a version of libssh which incorporates the new SSH format, which is atypical for HPC systems which tend to have a degree of stability in the operating system level, even if they make use of diverse versions and compilers on the application level. Of course, invoking a different version of libssh (e.g., through an environment modules approach) provides an alternative solution which can be incorporated into a small C program (key_audit.c), which elegantly tests validation of an empty passphrase against a given keyfile.