![]() Here is my script that downloads a public key from Github or loads it from the file system and tests it against the specified server: Unfortunately, it does not allow a user to test a public key without the private key, so I had to patch it. To validate my understanding and test the auth against my servers, I used paramiko - the most popular SSH client for Python. To reduce the amount of network interaction with a server, a lot of the modern SSH clients sign it by default when they can. This how a server can finally check that a client owns a private key and give full SSH access. When a message is signed by a private key, the signature can be verified by a public key. String "." # signature of all strings and values from the above signed by a private key String "AAAAB3.yFNYKffe" # public key blob String "ssh-rsa" # public key algorithm name String "ssh-connection" # service name in US-ASCII String "root" # user name in ISO-10646 UTF-8 encoding ![]() To send an auth request with a public key, a client must send a special message over the SSH transport protocol: The user authentication happens after a transport session is fully established. SSH authentication works on top of the SSH transport protocol that provides session encryption and integrity protection. Instead of a custom SSH server, you can also trick a person to clone a repo on a private Git server. I found a similar proof of concept, that reads all SSH keys of an SSH client when it connects to a special server and checks them against a database of GitHub keys. If you are lucky enough, that will give you an identity of an owner. If a server does not use tools like fail2ban, you can scrape all available keys from Github and slowly enumerate them all against the server. Suppose you have an IP address of a bulletproof server, and you want to know who owns it. ![]() It can also be useful in the opposite direction. Additionally, an attacker can also find some of your consulting clients or customers of your software solutions. If your infrastructure runs on default SSH ports and uses default SSH usernames, such a technique can reveal additional targets for targeted attacks.įor most people, that is not a big deal, but for some companies with critical and industrial infrastructure, this can be a problem. Some attackers can scan all IPs in a few days and I'm pretty sure government agencies have been using this for years now. But what if someone wants to target you or your company? An attacker can grab a bunch of public keys from GitHub and run an internet-wide scan of SSH servers on all IPv4 addresses. That is, by having access to a public key, you can check if a server allows access for the specified public key and a username pair.Īt first glance, it does not look like a big problem. ![]() And the interesting detail here is that you don't need a private key to validate if a server allows access from a particular public/private key combination. When SSH client sends an auth request to a server, it enumerates all its public keys for which it has private keys. Not only such instances serve public keys, but they also allow you to gain extra information about employees of a particular entity. It's possible to brute-force some common usernames and get the keys for existing users. Despite the fact that they are private and you can't list all users on them. Update from a reader #2: Private on-premise Gitlab CE instances suffer from the same problem. Update from a reader: As it turned out, GitLab does the same thing. This is a pretty unknown feature of GitHub that allows everyone to gain access to millions of public keys. Ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS.4GegDVgkD031qzTXfvsGsXPyFNYK653enI5UTL ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |