$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, can be slow

Find Loose Private Key Permissions

You need to find private-key-looking files with modes broader than 600.

Command

find home -type f -name 'id_*' -printf '%m %p\n' | awk '$1 > 600'

Before you run this

System impact: Read-only. Can create load on large logs, directories, filesystems, or process tables.

When not to use it: Do not assume every id_* file is a real private key; inspect carefully before changing or deleting.

Expected output

Mode and path for private-key-looking files with loose permissions.

System impact

Read-only, can be slow. Nothing changes. The command prints key-looking files whose numeric mode is greater than 600.

Scope this to the smallest useful path or service on busy systems.

Recovery / rollback: no state is changed.

When to use it

Use during server access audits or after provisioning SSH credentials.

When not to use it

Do not assume every id_* file is a real private key; inspect carefully before changing or deleting.

Explanation-only example

Illustrated output, not a live lab run

This example is intentionally illustrative. It shows the command shape without killing real processes or changing your machine.

demo@lab:~$

$ find home -type f -path '*/ssh-keys/*' -printf '%m %p\n' | sort

600 home/alex/ssh-keys/authorized_keys
600 home/deploy/ssh-keys/authorized_keys
644 home/deploy/ssh-keys/id_rsa

$ find home -type f -name 'id_*' -printf '%m %p\n' | awk '$1 > 600'

644 home/deploy/ssh-keys/id_rsa
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. find home -type f -path '*/.ssh/*' -printf '%m %p\n' | sort
  2. find home -type f -name 'id_*' -printf '%m %p\n' | awk '$1 > 600'

next steps

Related commands

Cybersecurity Triage Sensitive output

Find Loose authorized_keys Modes

SSH key access files should not be looser than intended.

find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | awk '$1 > 600'
Cybersecurity Triage Sensitive output

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Sensitive output

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Can be slow

Find Config Files with Execute Bits

Config files do not usually need to be executable.

find fixtures/perm-audit -type f -perm /111 \( -path '*/config/*' -o -name '*.env' -o -name '*.conf' \) -printf '%M %u:%g %p\n' | sort
Cybersecurity Triage Sensitive output

Inventory SSH authorized_keys

authorized_keys files are the practical list of who can use key-based SSH.

find home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:104-filesystems-permissions-fhs
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • lfcs:storage
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:system-management
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.