Protect SSH Private Keys

SSH private keys are among the most valuable credentials on a developer's machine. They provide passwordless access to production servers, Git repositories, cloud infrastructure, and internal systems. For an attacker, stealing an SSH private key is like finding a master key to your entire castle.

It's no wonder that infostealers like Atomic Stealer (AMOS), Banshee Stealer, and Cthulhu Stealer specifically target ~/.ssh/ directories because they know the value of what's inside. But with Workshop and Santa's file access rules, you can lock down SSH keys so that only the processes that legitimately need them can access them.

In Santa's FAA rules, the rule matching the most specific path is applied. To make sure that you can still access public keys and configs, we can create a more specific rule by using FAA's longest prefix matching, allowing read access only to those files that should be accessible.

This uses two rules with longest prefix matching. The first rule blocks all access to ~/.ssh/ except for SSH and Git processes. The second rule allows broader read access to public keys and configuration files using more specific paths.

Santa applies the most specific matching rule, so the .pub files rule takes precedence over the general .ssh/ rule for those files.

SSH and Git are the primary users of SSH keys. If you use other development tools that need SSH keys (like CI/CD tools, deployment scripts), add their signing IDs to the allowlist.