filosottile / whoami.filippo.io Goto Github PK

View Code? Open in Web Editor NEW

2.2K 43.0 106.0 919 KB

A ssh server that knows who you are. $ ssh whoami.filippo.io

License: ISC License

Go 98.63% Dockerfile 1.37%

whoami.filippo.io's Introduction

whoami.filippo.io

An ssh server that knows who you are.

Try it (it's harmless)

ssh whoami.filippo.io

ED25519 key fingerprint is SHA256:qGAqPqtlvFBCt4LfMME3IgJqZWlcrlBMxNmGjhLVYzY.
RSA key fingerprint is SHA256:O6zDQjQws92wQSA41wXusKquKMuugPVM/oBZXNmfyvI.

How it works

When ssh tries to authenticate via public key, it sends the server all your public keys, one by one, until the server accepts one. One can take advantage of this to enumerate all the client's installed public keys.

On the other hand, GitHub allows everyone to download users' public keys (which is very handy at times). Ben Cox took advantage of that and built a dataset of all GitHub public keys.

This is a pretty vanilla golang.org/x/crypto/ssh Go server that will advertise (publickey,keyboard-interactive) authentication. It won't accept any public key, but it will take a note of them. Once the client is done with public keys, it will try keyboard-interactive, which the server will accept without sending any challenge, so that no user interaction is required.

Then it just lets you open a shell+PTY, uses the public keys and Ben's database to find your username, asks the GitHub API your real name, prints all that and closes the terminal.

All the interesting bits are in server.go.

How do I stop it?

If this behavior is problematic for you, you can tell ssh not to present your public keys to the server by default.

Add these lines at the end of your ~/.ssh/config (after other "Host" directives)

Host *
    PubkeyAuthentication no
    IdentitiesOnly yes

And then specify what keys should be used for each host

Host example.com
    PubkeyAuthentication yes
    IdentityFile ~/.ssh/id_rsa
    # IdentitiesOnly yes # Enable ssh-agent (PKCS11 etc.) keys

If you want you can use different keys so that they can't be linked together

Host github.com
    PubkeyAuthentication yes
    IdentityFile ~/.ssh/github_id_rsa

whoami.filippo.io's People

Contributors

Stargazers

Watchers

Forkers

orinocoz carllen dushmis olasitarska odimodugno kwadwo hotelzululima darkblue-b andre3k1 quicktoolbox nndnha suneil prodigeni explicite malisetti miteshshah oneiroi gnudark camilohe jaymecd aaraminowicz bradparks linkp2p rmoorman jblaine shogsbro greymeister tartakynov eric-brechemier 99plus2 saisai rayleyva projectstowork1 abhishekp906 joonakannisto pombredanne tourountzis bupt007 endika orangepole rlugojr greg5678 crshoverride rdavydov shekkbuilder cloudxtreme digideskio diopralinato c2pigisme awein phoenix1796 security-geeks hloeffler olivierh59500 alsanie enterstudio mixpanel-platform enterstudios i-am-shodan neechbear lfaoro waterem danieldeb ym fachinformatiker attackgithub marciopocebon maxcarx1019 i4ki futuretea ppmx gent5698 joncampbell123 knilch0r phr0stb1t3 longjohncoder sgnls ik5 ra2003 modulexcite nickvolynkin 0xack13 1000101 amasser 6543-forks icodein isgasho rxall dcormier aleminfa xstp servomekanism cat-of-devil hariihe thinkst-cs nmarley hien dosycorps hnq90 thearchiver

whoami.filippo.io's Issues

Didn't work for me

The authenticity of host 'whoami.filippo.io (108.30.214.28)' can't be established.
ED25519 key fingerprint is SHA256:qGAqPqtlvFBCt4LfMME3IgJqZWlcrlBMxNmGjhLVYzY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'whoami.filippo.io,108.30.214.28' (ED25519) to the list of known hosts.

    +---------------------------------------------------------------------+
    |                                                                     |
    |             _o/ Hello!                                              |
    |                                                                     |
    |                                                                     |
    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to? You can see yours echoed below.       |
    |                                                                     |
    |  We tried to use that to find your GitHub username, but we          |
    |  couldn't :( maybe you don't even have GitHub ssh keys, do you?     |
    |                                                                     |
    |  By the way, did you know that GitHub publishes all users'          |
    |  ssh public keys and Ben (benjojo.co.uk) grabbed them all?          |
    |                                                                     |
    |  That's pretty handy at times :) But not this time :(               |
    |                                                                     |
    |                                                                     |
    |  P.S. This whole thingy is Open Source! (And written in Go!)        |
    |  https://github.com/FiloSottile/whoami.filippo.io                   |
    |                                                                     |
    |  -- @FiloSottile (https://twitter.com/FiloSottile)                  |
    |                                                                     |
    +---------------------------------------------------------------------+


Connection to whoami.filippo.io closed.

https://github.com/sundowndev.keys

Is service down?

Service no longer provider usernames. It looks like there is already a normal SSH server on the other side.

Server is no longer online

I tried to do ssh whoami.filippo.io, but failed with ssh: Could not resolve hostname whoami.filippo.io: Name or service not known

Call out SSH Agent Forwarding and X11 Forwarding in README

server.go returns some warnings to users who have SSH Agent Forwarding and/or X11 Forwarding settings enabled (possibly universally).

It would be nice to add those to How do I stop it? section of the README for posterity and completeness.

I can send a PR if you agree.

Database availability

Is the database still available (and maintained) somewhere?

SSH on whoami.filippo.io refusing connection

The hosted version of this tool is refusing connections on the endpoint documented on the readme:

$ ssh whoami.filippo.io
ssh: connect to host whoami.filippo.io port 22: Connection refused

Not sure this is the place to report this as an "issue", but maybe it triggers something or somebody can confirm this no longer works.

Avoiding SSH key enumeration

So for those interested in how to avoid the enumeration of SSH keys. Set globally in your .ssh/config the PreferredAuthentications option to keyboard-interactive,password. That seems to prevent SSH from defaulting to sending your keys over.

Now you'll need a Host stanza for every host that you do want to connect to with a key that includes an IdentityFile setting or pass that in as an option when using SSH to connect to said machine.

SSH does not send all public keys

2 public keys.

1 sent.

[@dev:~] $ ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[@dev:~] $ cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
[@dev:~] $ ls -ld .ssh/id_rsa*pub
-rw-r--r--. 1 jblaine jblaine 393 Jun 19 10:34 .ssh/id_rsa.pub
-rw-r--r--. 1 jblaine jblaine 393 Aug  6 12:12 .ssh/id_rsa_another.pub
[@dev:~] $ ssh whoami.filippo.io

    +---------------------------------------------------------------------+
    |                                                                     |
    |             _o/ Hello!                                              |
    |                                                                     |
    |                                                                     |
    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to? You can see yours echoed below.       |
    |                                                                     |
    |  We tried to use that to find your GitHub username, but we          |
    |  couldn't :( maybe you don't even have GitHub ssh keys, do you?     |
    |                                                                     |
    |  By the way, did you know that GitHub publishes all users'          |
    |  ssh public keys and Ben (benjojo.co.uk) grabbed them all?          |
    |                                                                     |
    |  That's pretty handy at times :) But not this time :(               |
    |                                                                     |
    |                                                                     |
    |  P.S. This whole thingy is Open Source! (And written in Go!)        |
    |  https://github.com/FiloSottile/whosthere                           |
    |                                                                     |
    |  -- @FiloSottile (https://twitter.com/FiloSottile)                  |
    |                                                                     |
    +---------------------------------------------------------------------+

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQwpvEpjvC+wCs41YLSxxr4Fre9Gtk4aWhoVkGWN10CQSTV3RVfDzmDsusTul0XrcetmlCQBEwfImxly1cFp/pcjTT0lAlmwuY6a8vxqCZ1D83IT8suYQIONu7dzV5PrVK1e0h02v0hGxrgGgpG1eXmD3LgCUkQHNzyQip60DmkjW6nC6lspCeJ/nghh7ioHScJfjIyMBIXI5NqumuLfnUQ7sN7fJXpsgzE5IusMikdnsOdN6qhSSjuXRAYAOyBtAv62qBQ0vYlIWFKL4iWwJG4fqXZNjBh8YpIXnLwPFD0oKmGRzRxBVPIw39qgMXJDYkjTCDmk0iclc787OIbS4N

Connection to whoami.filippo.io closed.
[@dev:~] 1 $ ls .ssh/config
ls: cannot access .ssh/config: No such file or directory
[@dev:~] 2 $

Feature request: show environment variables

If the client has the SendEnv option enabled (often SendEnv LANG LC_*), it may leak valuable information about the client such as its locale.

Publish SSHFP records

not enough arguments in call to s.githubClient.Users.Get

ssh://whoami.filippo.io is down, so I'm trying to build this myself, but I got the following compile error:

 ~ > go get github.com/FiloSottile/whosthere/src/ssherver                                                                                                      
# github.com/FiloSottile/whosthere/src/ssherver                                 
go/src/github.com/FiloSottile/whosthere/src/ssherver/db.go:30: not enough arguments in call to s.githubClient.Users.Get
        have (string)                   
        want (context.Context, string)  
 ✘ ~ >

I apologize if this is just go noobery but it seems like a normal compile error so I decided that's unlikely.

Server closes connection immediately, no output

When I try to connect to the server, the server immediately closes the connection.

[andre@8530w ~]$ ssh  whoami.filippo.io
Connection to whoami.filippo.io closed.

The log file gives the output for ssh -v
whoami_log.txt

Add a warning for any user that has ssh-agent forwarding on by default

You say that "ssh is designed to log into untrusted servers.", but I be a lot of githubbers have ssh-agent forwarding on by default which is not good or logging into untrusted servers.

It could be fun to have a message like "also, you have ssh-agent forwarding enabled. did you know that means I can use your private keys while you're connected?".

Does not recognize my key.

I do not know why, I have 2 keys on github and the one I am currently using (on both github and ssh) is DSA. Maybe script does not support multiple keys or DSA

Complete the README

Could you explain in the README how to install and run ssherver for Go newbe and show an example of config.yml ?

Doesn't work with my ed25519 key

I tried it but it doesn't work with my ed25519 key. Here's the output:

$ ssh whoami.filippo.io  

    +---------------------------------------------------------------------+
    |                                                                     |
    |             _o/ Hello!                                              |
    |                                                                     |
    |                                                                     |
    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to? You can see yours echoed below.       |
    |                                                                     |
    |  We tried to use that to find your GitHub username, but we          |
    |  couldn't :( maybe you don't even have GitHub ssh keys, do you?     |
    |                                                                     |
    |  By the way, did you know that GitHub publishes all users'          |
    |  ssh public keys and Ben (benjojo.co.uk) grabbed them all?          |
    |                                                                     |
    |  That's pretty handy at times :) But not this time :(               |
    |                                                                     |
    |                                                                     |
    |  P.S. This whole thingy is Open Source! (And written in Go!)        |
    |  https://github.com/FiloSottile/whosthere                           |
    |                                                                     |
    |  -- @FiloSottile (https://twitter.com/FiloSottile)                  |
    |                                                                     |
    +---------------------------------------------------------------------+


Connection to whoami.filippo.io closed.

as you can see, my key is not echoed below as claimed in the text.

I checked the ssh -v output and I'm definitely offering the key:

$ ssh -i ~/.ssh/id_ed25519 -v whoami.filippo.io  
OpenSSH_6.9p1, OpenSSL 1.0.1m 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to whoami.filippo.io [178.32.139.168] port 22.
debug1: Connection established.
debug1: identity file /home/philandstuff/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/philandstuff/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
debug1: Authenticating to whoami.filippo.io:22 as 'philandstuff'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:O6zDQjQws92wQSA41wXusKquKMuugPVM/oBZXNmfyvI
debug1: Host 'whoami.filippo.io' is known and matches the RSA host key.
debug1: Found key in /home/philandstuff/.ssh/known_hosts:5
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /home/philandstuff/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to whoami.filippo.io ([178.32.139.168]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.

    +---------------------------------------------------------------------+
    |                                                                     |
    |             _o/ Hello!                                              |
    |                                                                     |
    |                                                                     |
    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to? You can see yours echoed below.       |
    |                                                                     |
    |  We tried to use that to find your GitHub username, but we          |
    |  couldn't :( maybe you don't even have GitHub ssh keys, do you?     |
    |                                                                     |
    |  By the way, did you know that GitHub publishes all users'          |
    |  ssh public keys and Ben (benjojo.co.uk) grabbed them all?          |
    |                                                                     |
    |  That's pretty handy at times :) But not this time :(               |
    |                                                                     |
    |                                                                     |
    |  P.S. This whole thingy is Open Source! (And written in Go!)        |
    |  https://github.com/FiloSottile/whosthere                           |
    |                                                                     |
    |  -- @FiloSottile (https://twitter.com/FiloSottile)                  |
    |                                                                     |
    +---------------------------------------------------------------------+


debug1: channel 0: free: client-session, nchannels 1
Connection to whoami.filippo.io closed.
Transferred: sent 2832, received 3136 bytes, in 0.1 seconds
Bytes per second: sent 43503.6, received 48173.5
debug1: Exit status -1

local username too?

As most ssh clients default to sending the local username as the login, could you also grab and display that?

I'm thinking a useful ssh client function would be not to send local username unless remote host was already in known_hosts

cheers, Jamie

Also return email addresses from OpenPGP keys

Some user might also have OpenPGP keys with email addresses attached to their github account.

curl https://github.com/<username>.gpg | gpg2 --list-packets | grep 'user ID packet'

Service did not expect lack of keys

My client sent none of my identity keys.
It would be nice to see it praised on the issue banner ;)

    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to? You can see yours echoed below.       |
    |                                                                     |
    |  We tried to use them to lookup your GitHub account,                |
    |  but got no match :(                                                |
    |                                                                     |
    |  -- Filippo (https://filippo.io)                                    |
    |                                                                     |
    |                                                                     |
    |  P.S. The source of this server is at                               |

Thanks!

### sane ssh client defaults at top of ~/.ssh/config
Host !that.i.trust,!*.at.work,*
SendEnv -*
ForwardAgent no
ForwardX11 no
ClearAllForwardings yes
IdentityFile ~/nonexistent
IdentityAgent none
PubkeyAuthentication no
HostbasedAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no

### allow passwords and 2FA/tokens with new/unknown hosts
VisualHostKey yes
PasswordAuthentication yes
KbdInteractiveAuthentication yes
PreferredAuthentications keyboard-interactive,password

### then configure trusted per host/domain, use ip where you can
Host that.i.trust
Include identity_personal

Host *.at.work
Include identity_work

Broken link in Readme

The link to the blog post about data set of public keys in the README seems broken.

Turn results into report card form

It might help people to get the information you detect in a sort of report card form, the way https://ssllabs.com does. Makes it easy to digest and may help people improve on their configurations. It could look something like this:

Provide SSH host key fingerprint(s) in the README

Thousands of people answered "yes" to

The authenticity of host 'whoami.filippo.io (96.246.192.163)' can't be established.
RSA key fingerprint is SHA256:O6zDQjQws92wQSA41wXusKquKMuugPVM/oBZXNmfyvI.
Are you sure you want to continue connecting (yes/no)? no

when first connecting to your server.

Here's a chance to perform another valuable public service—on top of encouraging good public key hygiene—by subtly reminding people in whoami's README that they shouldn't ignore these warnings, but rather actually verify the fingerprints with the server administrator.

For example, GitHub puts their host key fingerprints on their website, and every upstanding company in the business of providing services over SSH hosting should do the same.

We wouldn't create permanent exceptions for broken SSL/TLS certificates on our banks' web sites, would we? Super! Browsers have scary warnings about certificate errors for the same reasons that SSH clients have scary warnings about host fingerprints. It's kind of a big deal.