KeiruaProd

I help my clients acquire new users and make more money with their web businesses. I have ten years of experience with SaaS projects. If that’s something you need help with, we should get in touch!
< Back to article list

Better SSH public key usage

The context

I recently came across a surprising SSH behavior:

$ ssh whoami.filippo.io

    +---------------------------------------------------------------------+
    |                                                                     |
    |             _o/ Hello @Keirua!
    |                                                                     |
    |                                                                     |
    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to?                                       |
    |                                                                     |
    |  We matched them to the keys of your GitHub account,                |
    |  @Keirua, which are available via the GraphQL API
    |  and at https://github.com/Keirua.keys
    |                                                                     |
    |  -- Filippo (https://filippo.io)                                    |
    |                                                                     |
    |                                                                     |
    |  P.S. The source of this server is at                               |
    |  https://github.com/FiloSottile/whoami.filippo.io                   |
    |                                                                     |
    +---------------------------------------------------------------------+

It can be discussed why I SSH’ed into an unknown server. Filippo is a serious security researcher. He is a cryptographer at Google, working on the Go implementation of various primitive. He explaind the work behind whoami.filippo.io in an article. That was worth the try.

The problem

The problem (target server gets all my keys, and they can match them to github’s keys) stem from the fact that by default, SSH sends all your keys in hope that one work. In theory, there is no problem with sharing public keys (they are meant for that). In practice, well you can get banned for too many authentication attempts.

Is that really a problem ? Well, I’m supposed to only SSH into machines I work with or I trust, so not completely

But the real problem is isolation. This is not about implementing security by obscurity : we want isolation ; our keys should have one purpose, so that if one of them is compromised, it cannot be used to access another service. Clearly, this is not the case here.

Key reuse is a frequent source of trouble.

A solution

A solution is disable this behavior. You want to stop remote servers from being able to inspect all the keys you own.

So first, you need to ensure the SSH keys are used only for one service. Generate new keys if needed.

Then, you can put this at the bottom of ~/.ssh/config:

# By default, we don’t want to send all our SSH keys to everybody
# (This is about isolation of keys − each key should have one purpose)
# We use only one key that match a pattern (user@domain, in the keys directory)
# (also, disable password authentication)
Host *
  IdentitiesOnly yes
  # uses ~/.ssh/keys/git@github.com for github for example
  IdentityFile ~/.ssh/keys/%r@%h

And then explicitely indicate what key to use for each server.

  Host github.com
      IdentityFile ~/.ssh/github.com.pem

And now you get:

$ ssh whoami.filippo.io

    +---------------------------------------------------------------------+
    |                                                                     |
    |             _o/ Hello!                                              |
    |                                                                     |
    |                                                                     |
    |  Did you know that ssh sends all your public keys to any server     |
    |  it tries to authenticate to? You can see yours echoed below.       |
    |                                                                     |
    |  We tried to use them to lookup your GitHub account,                |
    |  but got no match :(                                                |
    |                                                                     |
    |  -- Filippo (https://filippo.io)                                    |
    |                                                                     |
    |                                                                     |
    |  P.S. The source of this server is at                               |
    |  https://github.com/FiloSottile/whoami.filippo.io                   |
    |                                                                     |
    +---------------------------------------------------------------------+

Did it really work ? You can see with ssh -v whoami.filippo.io the list of the keys used:

debug1: identity file /home/my_user/.ssh/keys/my_user@whoami.filippo.io

We did not send everything, only our (non existing) key. Nice !