Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management   (+ MDM) Orchestration   (+ monitoring) Software management   (+ CVEs) Integrations

Docs
Stories
News Ask around Share your story COMPANY
The handbook What people are saying

Pricing Schedule a demo
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
News Ask around Schedule a demo Share your story COMPANY The handbook What people are saying
Pricing Try it yourself
Queries/
Get unencrypted SSH keys for local accounts

Get unencrypted SSH keys for local accounts

Contributor's GitHub profile picture

Ahmed Elshaer

Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)

To learn more about queries, check this guide.

Query PowerShellNEW BashNEW
SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;
$results = @()

# Get a list of user directories in C:\Users
$usersDirs = Get-ChildItem "C:\Users" -Directory -ErrorAction SilentlyContinue

foreach ($userDir in $usersDirs) {
    $username = $userDir.Name
    $sshFolder = Join-Path $userDir.FullName ".ssh"
    if (Test-Path $sshFolder) {
        # Attempt to retrieve local user information; if not found, leave empty
        $localUser = Get-LocalUser -Name $username -ErrorAction SilentlyContinue
        $uid = if ($localUser) { $localUser.SID.Value } else { "" }
        $description = if ($localUser) { $localUser.Description } else { "" }

        # Get all files in the .ssh folder that are not public-key files
        $keyFiles = Get-ChildItem -Path $sshFolder -File | Where-Object { $_.Extension -ne ".pub" }
        foreach ($key in $keyFiles) {
            # Read the key file; if it contains "ENCRYPTED" assume it is encrypted
            $content = Get-Content $key.FullName -ErrorAction SilentlyContinue
            if ($content -match "ENCRYPTED") {
                $enc = 1
            }
            else {
                $enc = 0
            }
            if ($enc -eq 0) {
                $results += [pscustomobject]@{
                    uid         = $uid
                    username    = $username
                    description = $description
                    path        = $key.FullName
                    encrypted   = $enc
                }
            }
        }
    }
}

$results | Format-Table -AutoSize
echo "uid,username,description,path,encrypted"; for u in /Users/*; do [ -d "$u/.ssh" ] || continue; user=$(basename "$u"); uid=$(id -u "$user" 2>/dev/null); desc=$(dscl . -read /Users/"$user" RealName 2>/dev/null | sed '1d;s/^ *//'); for f in "$u"/.ssh/*; do [ -f "$f" ] || continue; grep -q "ENCRYPTED" "$f" 2>/dev/null || echo "$uid,$user,$desc,$f,0"; done; done
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

An icon indicating that this section has important information

Bash commands for macOS are currently work in progress, contributions welcome.

Platform

macOSApple

WindowsWindows

LinuxLinux

ChromeOSChromeOS

Suggest an editEdit Talk to an engineerTalk to us
Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo
Tried Fleet yet?

Get started with Fleet

Start
continue
×