Future Hosting, a global managed hosting provider delivering dedicated servers, and virtual private servers (VPS Hosting) to its global clientele, has warned server hosting clients not to upload private SSH keys to production servers.
If SSH private keys fall into the hands of malicious third parties, they can be used to compromise servers and the data stored on them, according to Future Hosting. Private keys can be accidentally uploaded to the publicly accessible directories of web servers, and it would be trivially easy for a malicious third-party to scan for private keys in those directories.
Future Hosting advises server hosting clients to use passphrases with their SSH key pairs. Using passphrases may be inconvenient, but a key pair with a passphrase is useless to an attacker even if the private key is made public.
“SSH keys are more secure than password authentication, but they’re only secure if server hosting clients keep the private key safe,“ said Maulesh Patel, VP of Operations of Future Hosting, “It’s unfortunately common for private keys to be uploaded to servers. We’d like to raise awareness of this issue to help server administrators and developers understand the risk and take steps to keep private keys out of the hands of criminals.”
SSH is a secure protocol used to access the servers that host websites and applications. A password can be used to log in to a server with SSH, but key-based authentication is more secure. A user generates a key pair, which includes a public and a private key. The public key is uploaded to the server. The private key should be stored “securely” on the user’s devices.
Founded in 2001, Future Hosting is a privately held Internet solutions provider specializing in managed hosting, including dedicated servers, virtual private servers (VPS Hosting), and hybrid VPSs.