search

Yelp / detect-secrets

An enterprise friendly way of detecting and preventing secrets in code.
Apache License 2.0
3.81k stars 473 forks source link

Reduce false positives for private keys #70

Open domanchi opened 6 years ago

domanchi commented 6 years ago

We're less concerned about private keys, if they are encrypted with a passphrase. An example format is:

-----BEGIN RSA PRIVATE KEY-----                                                    
Proc-Type: 4,ENCRYPTED                                                             
DEK-Info: AES-128-CBC,99AD1487680054D5E49D263D3E4CBFEB

We probably can use this heuristic to reduce flagged data.

KevinHock commented 6 years ago

Let's make sure these are still true positives https://latacora.singles/2018/08/03/the-default-openssh.html

KevinHock commented 4 years ago

For non-broken, new-style SSH certificates, (that cannot be broken as explained in the Latacora post.) We would have to probably shell out or replicate ssh-keygen logic (😅 ), because it not possible to tell if a passphrase was used otherwise. [1]

Even once we do this though, there is no way to tell if [random dev on the internet] used a good passphrase, so I feel it would be dangerous for us to assume they did, and not report because they may be a false-positive. To be succinct, I am okay with closing this issue @domanchi, and alerting off of well-protected SSH certifications.

[1]

It is not always so easy as described in the other answers. It works only with the old PEM keys. New openssh format of the keys (generated with -o option, more secure, since openssh-6.5) looks the same if you check the headers:
...

The easiest way in this case is to run some operation on them using ssh-keygen. If it will ask for a passphrase, it has one (or it is not a ssh key), if not it does not have a passphrase:

$ ssh-keygen -yf rsa_enc
Enter passphrase: 
$ ssh-keygen -yf rsa
ssh-rsa AAAAB3NzaC1y...
Maybe even better is the following example, since it doesn't ask for input: -P specifies the passphrase to use, an unprotected key opens with an empty passphrase.

$ ssh-keygen -y -P "" -f rsa_enc
Load key "path_to_key": incorrect passphrase supplied to decrypt private key`
$ ssh-keygen -y -P "" -f rsa
ssh-rsa AAAAB3NzaC1y...

From the 2nd answer of: https://security.stackexchange.com/questions/129724/how-to-check-if-an-ssh-private-key-has-passphrase-or-not

domanchi commented 4 years ago

There's sound logic in your rationale. The best of both worlds would be to add a flag to configure behavior based on risk tolerance (shelling out to ssh-keygen seems pretty straight-forward, and flag would be similar to configuring high entropy limit), but yes, I agree with you that existence of password is not sufficient to rule out false positive.

KevinHock commented 4 years ago

Yeah I agree about the flag 🇹🇭

That would be good to add 👍