Check if a publickey is known by GitHub or Gitlab without iterating all users

1 point

3 years ago

During some audits, it's likely that you find some ssh public keys laying around on some servers.

If you want to verify if this key is known by other services, but you don't have access to those services, this task might be hard.

SSH-MITM has an additional command, which allows to check if a public ssh key is known by GitHub, GitLab, and other code hosters. It's not limited to GitHub and other major platforms and even works with each service, which is accessible over SSH.

First you must install SSH-MITM. It's recommended to use the AppImage, because this works out of the box on most Linux machines.

$ wget https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage $ chmod +x ssh-mitm-x86_64.AppImage

To check the publickey, you can use following command:

$ ./ssh-mitm-x86_64.AppImage audit check-publickey --host github.com --username git --public-key ~/.ssh/id_rsa.pub

If the key is known you will get "valid key" otherwise "bad key".

Note: since this uses SSH to verify, if the key is known, it's not possible to get the username. The reason is, GitHub and other code hosters uses "git" as the username.

This technique can be used not only on GitHub. It's also possible to check if a user has access to a public SSH server. If you have some usernames and publickeys, those can be used to check if a valid combination is known by the server, without having the private key or other valid credentials to login.