filosottile / whoami.filippo.io Goto Github PK
View Code? Open in Web Editor NEWA ssh server that knows who you are. $ ssh whoami.filippo.io
License: ISC License
whoami.filippo.io's Issues
Broken link in Readme
The link to the blog post about data set of public keys in the README seems broken.
Service did not expect lack of keys
My client sent none of my identity keys.
It would be nice to see it praised on the issue banner ;)
| Did you know that ssh sends all your public keys to any server |
| it tries to authenticate to? You can see yours echoed below. |
| |
| We tried to use them to lookup your GitHub account, |
| but got no match :( |
| |
| -- Filippo (https://filippo.io) |
| |
| |
| P.S. The source of this server is at |
Thanks!
### sane ssh client defaults at top of ~/.ssh/config
Host !that.i.trust,!*.at.work,*
SendEnv -*
ForwardAgent no
ForwardX11 no
ClearAllForwardings yes
IdentityFile ~/nonexistent
IdentityAgent none
PubkeyAuthentication no
HostbasedAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
### allow passwords and 2FA/tokens with new/unknown hosts
VisualHostKey yes
PasswordAuthentication yes
KbdInteractiveAuthentication yes
PreferredAuthentications keyboard-interactive,password
### then configure trusted per host/domain, use ip where you can
Host that.i.trust
Include identity_personal
Host *.at.work
Include identity_work
Complete the README
Could you explain in the README how to install and run ssherver for Go newbe and show an example of config.yml ?
Database availability
Is the database still available (and maintained) somewhere?
Provide SSH host key fingerprint(s) in the README
Thousands of people answered "yes" to
The authenticity of host 'whoami.filippo.io (96.246.192.163)' can't be established. RSA key fingerprint is SHA256:O6zDQjQws92wQSA41wXusKquKMuugPVM/oBZXNmfyvI. Are you sure you want to continue connecting (yes/no)? no
when first connecting to your server.
Here's a chance to perform another valuable public service—on top of encouraging good public key hygiene—by subtly reminding people in whoami's README that they shouldn't ignore these warnings, but rather actually verify the fingerprints with the server administrator.
For example, GitHub puts their host key fingerprints on their website, and every upstanding company in the business of providing services over SSH hosting should do the same.
We wouldn't create permanent exceptions for broken SSL/TLS certificates on our banks' web sites, would we? Super! Browsers have scary warnings about certificate errors for the same reasons that SSH clients have scary warnings about host fingerprints. It's kind of a big deal.
Avoiding SSH key enumeration
So for those interested in how to avoid the enumeration of SSH keys. Set globally in your .ssh/config the PreferredAuthentications option to keyboard-interactive,password. That seems to prevent SSH from defaulting to sending your keys over.
Now you'll need a Host stanza for every host that you do want to connect to with a key that includes an IdentityFile setting or pass that in as an option when using SSH to connect to said machine.
SSH on whoami.filippo.io refusing connection
The hosted version of this tool is refusing connections on the endpoint documented on the readme:
$ ssh whoami.filippo.io
ssh: connect to host whoami.filippo.io port 22: Connection refused
Not sure this is the place to report this as an "issue", but maybe it triggers something or somebody can confirm this no longer works.
Add a warning for any user that has ssh-agent forwarding on by default
You say that "ssh is designed to log into untrusted servers.", but I be a lot of githubbers have ssh-agent forwarding on by default which is not good or logging into untrusted servers.
It could be fun to have a message like "also, you have ssh-agent forwarding enabled. did you know that means I can use your private keys while you're connected?".
Is service down?
Service no longer provider usernames. It looks like there is already a normal SSH server on the other side.
Does not recognize my key.
I do not know why, I have 2 keys on github and the one I am currently using (on both github and ssh) is DSA. Maybe script does not support multiple keys or DSA
not enough arguments in call to s.githubClient.Users.Get
ssh://whoami.filippo.io is down, so I'm trying to build this myself, but I got the following compile error:
~ > go get github.com/FiloSottile/whosthere/src/ssherver
# github.com/FiloSottile/whosthere/src/ssherver
go/src/github.com/FiloSottile/whosthere/src/ssherver/db.go:30: not enough arguments in call to s.githubClient.Users.Get
have (string)
want (context.Context, string)
✘ ~ >
I apologize if this is just go noobery but it seems like a normal compile error so I decided that's unlikely.
Call out SSH Agent Forwarding and X11 Forwarding in README
server.go returns some warnings to users who have SSH Agent Forwarding and/or X11 Forwarding settings enabled (possibly universally).
It would be nice to add those to How do I stop it? section of the README for posterity and completeness.
I can send a PR if you agree.
Publish SSHFP records
Read more: https://en.wikipedia.org/wiki/SSHFP_record
local username too?
As most ssh clients default to sending the local username as the login, could you also grab and display that?
I'm thinking a useful ssh client function would be not to send local username unless remote host was already in known_hosts
cheers, Jamie
Also return email addresses from OpenPGP keys
Some user might also have OpenPGP keys with email addresses attached to their github account.
curl https://github.com/<username>.gpg | gpg2 --list-packets | grep 'user ID packet'
Doesn't work with my ed25519 key
I tried it but it doesn't work with my ed25519 key. Here's the output:
$ ssh whoami.filippo.io
+---------------------------------------------------------------------+
| |
| _o/ Hello! |
| |
| |
| Did you know that ssh sends all your public keys to any server |
| it tries to authenticate to? You can see yours echoed below. |
| |
| We tried to use that to find your GitHub username, but we |
| couldn't :( maybe you don't even have GitHub ssh keys, do you? |
| |
| By the way, did you know that GitHub publishes all users' |
| ssh public keys and Ben (benjojo.co.uk) grabbed them all? |
| |
| That's pretty handy at times :) But not this time :( |
| |
| |
| P.S. This whole thingy is Open Source! (And written in Go!) |
| https://github.com/FiloSottile/whosthere |
| |
| -- @FiloSottile (https://twitter.com/FiloSottile) |
| |
+---------------------------------------------------------------------+
Connection to whoami.filippo.io closed.
as you can see, my key is not echoed below as claimed in the text.
I checked the ssh -v output and I'm definitely offering the key:
$ ssh -i ~/.ssh/id_ed25519 -v whoami.filippo.io
OpenSSH_6.9p1, OpenSSL 1.0.1m 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to whoami.filippo.io [178.32.139.168] port 22.
debug1: Connection established.
debug1: identity file /home/philandstuff/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/philandstuff/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
debug1: Authenticating to whoami.filippo.io:22 as 'philandstuff'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:O6zDQjQws92wQSA41wXusKquKMuugPVM/oBZXNmfyvI
debug1: Host 'whoami.filippo.io' is known and matches the RSA host key.
debug1: Found key in /home/philandstuff/.ssh/known_hosts:5
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /home/philandstuff/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to whoami.filippo.io ([178.32.139.168]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
+---------------------------------------------------------------------+
| |
| _o/ Hello! |
| |
| |
| Did you know that ssh sends all your public keys to any server |
| it tries to authenticate to? You can see yours echoed below. |
| |
| We tried to use that to find your GitHub username, but we |
| couldn't :( maybe you don't even have GitHub ssh keys, do you? |
| |
| By the way, did you know that GitHub publishes all users' |
| ssh public keys and Ben (benjojo.co.uk) grabbed them all? |
| |
| That's pretty handy at times :) But not this time :( |
| |
| |
| P.S. This whole thingy is Open Source! (And written in Go!) |
| https://github.com/FiloSottile/whosthere |
| |
| -- @FiloSottile (https://twitter.com/FiloSottile) |
| |
+---------------------------------------------------------------------+
debug1: channel 0: free: client-session, nchannels 1
Connection to whoami.filippo.io closed.
Transferred: sent 2832, received 3136 bytes, in 0.1 seconds
Bytes per second: sent 43503.6, received 48173.5
debug1: Exit status -1
SSH does not send all public keys
2 public keys.
1 sent.
[@dev:~] $ ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[@dev:~] $ cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
[@dev:~] $ ls -ld .ssh/id_rsa*pub
-rw-r--r--. 1 jblaine jblaine 393 Jun 19 10:34 .ssh/id_rsa.pub
-rw-r--r--. 1 jblaine jblaine 393 Aug 6 12:12 .ssh/id_rsa_another.pub
[@dev:~] $ ssh whoami.filippo.io
+---------------------------------------------------------------------+
| |
| _o/ Hello! |
| |
| |
| Did you know that ssh sends all your public keys to any server |
| it tries to authenticate to? You can see yours echoed below. |
| |
| We tried to use that to find your GitHub username, but we |
| couldn't :( maybe you don't even have GitHub ssh keys, do you? |
| |
| By the way, did you know that GitHub publishes all users' |
| ssh public keys and Ben (benjojo.co.uk) grabbed them all? |
| |
| That's pretty handy at times :) But not this time :( |
| |
| |
| P.S. This whole thingy is Open Source! (And written in Go!) |
| https://github.com/FiloSottile/whosthere |
| |
| -- @FiloSottile (https://twitter.com/FiloSottile) |
| |
+---------------------------------------------------------------------+
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQwpvEpjvC+wCs41YLSxxr4Fre9Gtk4aWhoVkGWN10CQSTV3RVfDzmDsusTul0XrcetmlCQBEwfImxly1cFp/pcjTT0lAlmwuY6a8vxqCZ1D83IT8suYQIONu7dzV5PrVK1e0h02v0hGxrgGgpG1eXmD3LgCUkQHNzyQip60DmkjW6nC6lspCeJ/nghh7ioHScJfjIyMBIXI5NqumuLfnUQ7sN7fJXpsgzE5IusMikdnsOdN6qhSSjuXRAYAOyBtAv62qBQ0vYlIWFKL4iWwJG4fqXZNjBh8YpIXnLwPFD0oKmGRzRxBVPIw39qgMXJDYkjTCDmk0iclc787OIbS4N
Connection to whoami.filippo.io closed.
[@dev:~] 1 $ ls .ssh/config
ls: cannot access .ssh/config: No such file or directory
[@dev:~] 2 $
Didn't work for me
The authenticity of host 'whoami.filippo.io (108.30.214.28)' can't be established.
ED25519 key fingerprint is SHA256:qGAqPqtlvFBCt4LfMME3IgJqZWlcrlBMxNmGjhLVYzY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'whoami.filippo.io,108.30.214.28' (ED25519) to the list of known hosts.
+---------------------------------------------------------------------+
| |
| _o/ Hello! |
| |
| |
| Did you know that ssh sends all your public keys to any server |
| it tries to authenticate to? You can see yours echoed below. |
| |
| We tried to use that to find your GitHub username, but we |
| couldn't :( maybe you don't even have GitHub ssh keys, do you? |
| |
| By the way, did you know that GitHub publishes all users' |
| ssh public keys and Ben (benjojo.co.uk) grabbed them all? |
| |
| That's pretty handy at times :) But not this time :( |
| |
| |
| P.S. This whole thingy is Open Source! (And written in Go!) |
| https://github.com/FiloSottile/whoami.filippo.io |
| |
| -- @FiloSottile (https://twitter.com/FiloSottile) |
| |
+---------------------------------------------------------------------+
Connection to whoami.filippo.io closed.
Feature request: show environment variables
If the client has the SendEnv option enabled (often SendEnv LANG LC_*), it may leak valuable information about the client such as its locale.
Server closes connection immediately, no output
When I try to connect to the server, the server immediately closes the connection.
[andre@8530w ~]$ ssh whoami.filippo.io
Connection to whoami.filippo.io closed.
The log file gives the output for ssh -v
whoami_log.txt
Turn results into report card form
It might help people to get the information you detect in a sort of report card form, the way https://ssllabs.com does. Makes it easy to digest and may help people improve on their configurations. It could look something like this:
Server is no longer online
I tried to do ssh whoami.filippo.io, but failed with ssh: Could not resolve hostname whoami.filippo.io: Name or service not known
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.