I should tail the logs and stay [unintelligible 00:09:36.09] but that would be the most creepy. [laughter] So yeah, whoami is this little demo that came out because my flatmate – who deserves a lot of the credit – had dumped all the public SSH keys of GitHub… You might not realize, but if you go to GitHub.com/yourusername/keys, it will show you your SSH keys. That’s super handy for a number of reasons, like “I want to give this person access to my bugs”, or something like that… But you can just scrape the whole — not even scrape, just use the GitHub API to get the list of all users, then load all the keys and now you have a pretty good idea of a huge chunk of the SSH keys, to whom they belong.

At the same I was studying the SSH protocol and trying to figure out a bit of the internal and such, and I realized that the default behavior is just to send preemptively the public keys you’re willing to use, then the server responds, “Oh, yes, I like this one.” If the server responds that, then you make a signature with that key to log in.

But if the server refuses them all, it will still see them all… And I built this little tool with the golang.org/x/sshpackage that would ask you to use your public keys, refuse them all, but block them, then ask you to do keyboard interactive logging, which is a weird thing that I could just make happen automatically – so log you in any case… Then, if I found you in the database, I would tell you your name and surname and GitHub account, because I cross-reference that to the database. Once you explain it, it’s kind of trivial, but the surprise, the impact is pretty strong.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here