What sort of SSH keys our users use or have listed in their authorized keys files

May 29, 2020

Yesterday I wrote about the surprisingly persistence of RSA keys in SSH in general terms. Today I'm going to make that concrete, by looking at what sorts of SSH keys our users have in their authorized_keys files and have used for authenticating to our systems in 2020. Unsurprisingly, these turn out to be not quite the same.

Based on some fairly brute force grep'ing of authorized_keys files, we have 729 people with authorized keys files that have (theoretically) live keys, and the key types break down like this:

  1790 ssh-rsa
   380 ssh-dss
    52 ecdsa-sha2-nistp256
    23 ssh-ed25519
     2 ecdsa-sha2-nistp256-cert-v01@openssh.com
     1 ssh-rsa-cert-v01@openssh.com
     1 ecdsa-sha2-nistp521
     1 ecdsa-sha2-nistp384

My first surprise is that we have so many DSA keys listed, since they're no longer supported (and those 380 ssh-dss keys are across 203 different people). People clearly don't clean out their authorized keys files very often. 670 people have RSA keys, 13 have Ed25519 keys, and 15 have some form of ECDSA keys (which implies that a few people list a bunch of ECDSA keys).

However, that's just what people have sitting around in their authorized keys files, not what actually gets used. What actually gets used is a somewhat different picture. Here are the numbers for how many different keys of each type have been used over the course of 2020 so far:

   387 RSA
    27 ECDSA
    15 ED25519

RSA still dominates, but not as much as before. In terms of the number of people using various sorts of keys, 240 people have used RSA keys, 10 people have used Ed25519 keys, and 8 people have used ECDSA keys. Clearly RSA keys remain quite important to our users; most of our public key SSH authentication happens with them.

(At the same time, OpenSSH's good logging means that we could actually find all of these people if we needed to and tell them that their keys needed to change. Hopefully this isn't going to be necessary, at least not in volume.)

Another nice thing to see is that a significant number of people don't just use one key for everything. Both in their authorized keys files and in actual usage, we clearly have a certain number of people who routinely use several keys even for keys of the same type.

(I haven't attempted to use our logs to see how many people use two or three different types of keys.)

Written on 29 May 2020.
« The surprising persistence of RSA keys in SSH
How we're likely to DKIM sign some of our email messages »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri May 29 21:18:29 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.