SSH key checker
A small SSH server written in Go that checks any public keys presented to it for:
- known weak keys vulnerable to the Debian PRNG bug
- potentially weak key lengths, e.g. 1024-bit RSA keys
- DSA (ssh-dss) keys, which OpenSSH no longer supports by default
The results are output back to the user over the SSH session.
Example output
$ ssh keycheck.mattbostock.com
This server checks your SSH public keys for known or potential
security weaknesses.
For more information, please see:
https://github.com/mattbostock/sshkeycheck
The public keys presented by your SSH client are:
Bits Type Fingerprint Issues
4096 ssh-rsa ed:9a:d2:5d:7b:c0:e5:cf:b9:bc:5c:6b:ce:3a:db:20 No known issues
1024 ssh-dss 4a:0d:9b:b7:92:ba:0a:93:2a:2f:27:d7:58:73:74:91 DSA KEY
384 ecdsa-sha2-nistp384 d8:99:74:7a:0b:d0:e0:be:d0:b1:93:ee:ee:0f:b5:a4 No known issues
WARNING: You are using DSA (ssh-dss) key(s), which are no longer supported by
default in OpenSSH 7.0 and above.
Consider replacing them with a new RSA or ECDSA key.
Connection to keycheck.mattbostock.com closed.
Inspiration
This toy project is heavily inspired by Filippo Valsorda's whosthere server, which infers your name from the SSH public keys associated with your GitHub account.
I wanted to provide an easy way for anyone to check if the SSH key they are using is reasonably secure, in so far as we can define 'secure' from the key length and from lists of known weak keys.
Kudos to Ben Cox for raising awareness of weak SSH keys on GitHub.
Disclaimer
I'm not a cryptographer, nor am I an expert in SSH. Use at your own risk and discretion.
If you spot any problems, please raise an issue. Pull requests are also welcome.
