|
|
|
|
|
|
by j1elo
1265 days ago
|
|
|
Just for those curious about it: $ ssh whoami.filippo.io
+---------------------------------------------------------------------+
| |
| _o/ Hello! |
| |
| |
| Did you know that ssh sends all your public keys to any server |
| it tries to authenticate to? You can see yours echoed below. |
| |
| We tried to use them to lookup your GitHub account, |
| but got no match :( |
| |
| -- Filippo (https://filippo.io) |
| |
| |
| P.S. The source of this server is at |
| https://github.com/FiloSottile/whoami.filippo.io |
| |
+---------------------------------------------------------------------+
Of course, this happens because the day I learned about the default behavior of SSH (to send all your keys in hope that one works), I went ahead to disable it to stop remote servers from being able to inspect all my keys. I feel this can be abused in a similar way that sites abuse browser information to fingerprint users. So I put this at the bottom of ~/.ssh/config: Host *
IdentitiesOnly yes
And then I explicitly indicate what key to use for each server, either with the "-i" argument, or adding entries above the previous lines: Host example.com
IdentityFile ~/.ssh/example.com.pem
Other commenter mentioned that something similar can be achieved with "PubkeyAuthentication no", but I've been using "IdentitiesOnly yes" for years without issue. |
|
|
Is it just as OP states in article, where you have to interact with the authentication process to provide a key (assuming no key is associated to host as you explain)?