How Hackers Exploit Redis Misconfigurations to Gain SSH Password‑less Access

Basic Idea

Hackers generate an SSH public/private key pair on their own machine, then use an unauthenticated Redis instance on the target to store the public key and alter Redis configuration so that the key is written to the target’s ~/.ssh/authorized_keys file, enabling password‑less SSH login.

Specific Implementation

SSH password‑less login principle

For password‑less SSH, the client (A) creates a key pair, sends the public key to the server (B), and B places the public key in ~/.ssh/authorized_keys. Once the key is in place, A can log in to B without a password.

Using Redis to Transfer the Public Key

Connect to the target’s Redis server, which often has no password or a weak one.

Store the public key content as a value in Redis using SET.

Change Redis’s working directory to ~/.ssh with CONFIG SET dir ~/.ssh.

Rename the Redis database file to authorized_keys using CONFIG SET dbfilename authorized_keys.

After these steps, Redis writes the stored public key to ~/.ssh/authorized_keys, completing the attack.

Preventive Measures

To avoid this exploitation, ensure Redis security by:

Setting a strong password.

Binding Redis to specific IP addresses.

Renaming or disabling dangerous commands.

Implementing any of these safeguards can prevent the described intrusion.