Skip to content

users.sshPublicKeys.patch

GCP

users.sshPublicKeys.patch

service: GCP - OS Login
techniques:

Event

Updates an existing SSH public key in a user’s GCP OS Login profile.

Security Context

  • Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
  • SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.

Log Source

Cloud Audit Logs

Sample Event

This API does not produce audit logs. Per Google’s OS Login documentation, UpdateSshPublicKey is on the explicit list of methods that do not generate Cloud Audit Log entries. The non-loggability IS the security story: defenders cannot directly observe this API call.

Compensating controls:

  • Periodically poll getLoginProfile for each user and diff the SSH public-key fingerprints.
  • Monitor VM-side sshd authentication logs for unexpected key fingerprints.
  • Enforce an organization policy that disables OS Login key uploads outside approved workflows.

No sample JSON is available because Google does not log this operation.

MITRE ATT&CK Mapping

Tactics: Persistence Lateral Movement

Techniques:
  • T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
  • T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.