Recently I came across a tweet that highlighted a serious privacy issue related to SSH servers and online services that publish user information in public domain without having to explicitly take permission from users.
Added a OpenSSH roaming vuln test to the whoami server $ ssh https://t.co/MSn1TEQGTs (code: https://t.co/HMIH00CxHg) pic.twitter.com/9tolWWvXZJ
— Filippo Valsorda (@FiloSottile) January 16, 2016
In this tweet the guy talks about running a SSH server that matches the incoming connection’s public key with the public keys of Github users, which for some reason Github has kept in the public domain (totally not cool!).
So I decided to give it a go and below is what I found.
My public keys were already captured by this server from Github, and so it knew who I was. Which kind of creeped me out. But the feeling was only momentary because I knew what I had to do to protect myself.
The answer lies in the way the public key is shared. Public key is like a signature of the user. My mistake was that I was using my Github public/private key as my default SSH key. So now it was time to change this.
SSH allows you to configure keys per host, therefore limiting the use of the SSH keys for only the specified hosts. This SSH key and host mapping can be configured in ~/.ssh/config file.
So the solution is to backup your existing SSH key and configure the SSH client to use it for the right service.
Host github.com IdentityFile ~/.ssh/github/id_rsa
Then generate a new default public/private key pair.
ssh-keygen -t rsa -b 2048
Now when I connect to Filippo’s dodgy SSH server, it doesn’t know who I am 🙂
Note: Another thing to be aware of; if you are using ssh-agent to manage your keys, then it will send all the public keys to any SSH server you connect to. It is better to avoid using ssh-agent, and configure host specific keys in the SSH config file for identity protection.