I should tail the logs and stay [unintelligible 00:09:36.09] but that would be the most creepy. [laughter] So yeah, whoami is this little demo that came out because my flatmate – who deserves a lot of the credit – had dumped all the public SSH keys of GitHub… You might not realize, but if you go to GitHub.com/yourusername/keys, it will show you your SSH keys. That’s super handy for a number of reasons, like “I want to give this person access to my bugs”, or something like that… But you can just scrape the whole — not even scrape, just use the GitHub API to get the list of all users, then load all the keys and now you have a pretty good idea of a huge chunk of the SSH keys, to whom they belong.

At the same I was studying the SSH protocol and trying to figure out a bit of the internal and such, and I realized that the default behavior is just to send preemptively the public keys you’re willing to use, then the server responds, “Oh, yes, I like this one.” If the server responds that, then you make a signature with that key to log in.

But if the server refuses them all, it will still see them all… And I built this little tool with the golang.org/x/sshpackage that would ask you to use your public keys, refuse them all, but block them, then ask you to do keyboard interactive logging, which is a weird thing that I could just make happen automatically – so log you in any case… Then, if I found you in the database, I would tell you your name and surname and GitHub account, because I cross-reference that to the database. Once you explain it, it’s kind of trivial, but the surprise, the impact is pretty strong.

Source link


Please enter your comment!
Please enter your name here