• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > I’ve Got 1.2 Million Keys But A Private Ain’t One

I’ve Got 1.2 Million Keys But A Private Ain’t One

September 6, 2016 By Spencer

GitHub has grown in popularity over the past few years as one of the defacto standard locations to share and collaborate on open source projects. Accounts on GitHub are encouraged to use key based authentication, and to that end, users to upload a public key to allow them to authenticate to their accounts while making changes to code. This summer I crawled, collected, and analyzed 1,191,694 of these public keys from 1,190,842 GitHub accounts. The following are the statistics and observations I made.

The vast majority of the keys in use are ssh-rsa 2048 bit keys. This isn’t surprising as this is the default configuration for the ssh-keygen utility so often used to create these keys.

Key Type Analysis

The keys themselves are overwhelmingly ssh-rsa keys with 98% being ssh-rsa keys of various bit lengths between 1,000 and 35,000. The second most common key type identified was ssh-dss.

Once all of the keys were cataloged, I checked them for keys known to have been generated by Debian systems affected by CVE-2008-0166 between 2006 and 2008. Additionally, I checked the keys against the rapid7/ssh-badkeys collection of key pairs known to have shipped with software and hardware. Neither of these searches yielded any known public and private key combination. A table of all of the key types is available at the bottom of this post in the Key Types Table section.

User Relations

From an OSINT perspective, the data collection can be used to map relationships between multiple accounts belonging to a single individual. Users with multiple accounts that share a single SSH key for access and authentication can be easily identified by identifying public keys belonging to multiple users. Users with access to the private counter part of the shared public key would have access to these accounts. Among all of the keys recorded, 398 unique public keys were identified as being shared between multiple accounts. These are likely accounts that have either been renamed, or personal & work combination accounts.

User Key Count

key_count_per_user
Number of keys associated with GitHub accounts.

Of all the users that were checked only 51% had one or more SSH keys associated with their account. Accounts without keys are likely accounts that are inactive from a development perspective, likely created simply for opening tickets or checking the metrics provided by GitHub for projects. Git and GitHub can use a username and password combination to push to an HTTPS repository but most users opt for the convenience of authenticating with a key to avoid having to enter their credentials every time they push to a repo or clone a private repo.

Of the 1.2M users, 26.57% had exactly one key associated with their account, 12.98% have 2 keys, and 5.82% have 3 keys. One key does seem typical for the average user doing their development from a single system. Multiple keys could be indicative of the user developing on multiple systems. Furthermore, certain services such as the Cloud9 IDE platform require associating a key with the users GitHub account, presumably this is an additional key to an existing one.

Key Types Table

Type Bits Occurrences
ssh-dss 1023 107
ssh-dss 1024 16524
ssh-dss 1088 1
ssh-dss 1280 1
ssh-dss 1536 4
ssh-dss 1792 1
ssh-dss 1977 1
ssh-dss 2024 1
ssh-dss 2047 42
ssh-dss 2048 781
ssh-dss 2049 2
ssh-dss 2112 1
ssh-dss 3072 6
ssh-dss 4095 7
ssh-dss 4096 82
ssh-dss 5120 1
ssh-dss 8192 7
ssh-rsa 1000 2
ssh-rsa 1014 1
ssh-rsa 1023 2290
ssh-rsa 1024 15272
ssh-rsa 1025 1
ssh-rsa 1028 2
ssh-rsa 1039 12
ssh-rsa 1040 14
ssh-rsa 1042 1
ssh-rsa 1050 1
ssh-rsa 1096 7
ssh-rsa 1200 1
ssh-rsa 1231 1
ssh-rsa 1280 1
ssh-rsa 1480 1
ssh-rsa 1500 1
ssh-rsa 1512 1
ssh-rsa 1536 9
ssh-rsa 1675 1
ssh-rsa 1768 1
ssh-rsa 1792 1
ssh-rsa 1984 1
ssh-rsa 2012 1
ssh-rsa 2014 20
ssh-rsa 2015 1
ssh-rsa 2018 4
ssh-rsa 2024 14
ssh-rsa 2028 3
ssh-rsa 2033 1
ssh-rsa 2038 1
ssh-rsa 2041 1
ssh-rsa 2042 1
ssh-rsa 2043 1
ssh-rsa 2044 2
ssh-rsa 2045 2
ssh-rsa 2046 5
ssh-rsa 2047 359
ssh-rsa 2048 918482
ssh-rsa 2049 10
ssh-rsa 2051 1
ssh-rsa 2056 18
ssh-rsa 2060 1
ssh-rsa 2063 1
ssh-rsa 2064 2
ssh-rsa 2076 1
ssh-rsa 2083 1
ssh-rsa 2084 3
ssh-rsa 2086 1
ssh-rsa 2087 1
ssh-rsa 2096 65
ssh-rsa 2098 2
ssh-rsa 2111 1
ssh-rsa 2220 1
ssh-rsa 2222 3
ssh-rsa 2248 1
ssh-rsa 2303 1
ssh-rsa 2304 1
ssh-rsa 2333 1
ssh-rsa 2345 3
ssh-rsa 2368 1
ssh-rsa 2400 2
ssh-rsa 2481 1
ssh-rsa 2497 1
ssh-rsa 2560 3
ssh-rsa 2880 1
ssh-rsa 2948 1
ssh-rsa 3000 7
ssh-rsa 3003 1
ssh-rsa 3008 1
ssh-rsa 3011 1
ssh-rsa 3023 1
ssh-rsa 3045 1
ssh-rsa 3048 1
ssh-rsa 3050 1
ssh-rsa 3071 2
ssh-rsa 3072 254
ssh-rsa 3073 1
ssh-rsa 3074 1
ssh-rsa 3077 1
ssh-rsa 3078 3
ssh-rsa 3092 1
ssh-rsa 3096 24
ssh-rsa 3100 1
ssh-rsa 3112 1
ssh-rsa 3192 1
ssh-rsa 3200 2
ssh-rsa 3211 1
ssh-rsa 3248 4
ssh-rsa 3276 1
ssh-rsa 3333 2
ssh-rsa 3360 1
ssh-rsa 3456 6
ssh-rsa 3490 1
ssh-rsa 3584 1
ssh-rsa 3711 1
ssh-rsa 3743 1
ssh-rsa 3744 1
ssh-rsa 3936 1
ssh-rsa 3987 1
ssh-rsa 3989 1
ssh-rsa 3991 1
ssh-rsa 4000 6
ssh-rsa 4001 1
ssh-rsa 4006 4
ssh-rsa 4022 1
ssh-rsa 4023 1
ssh-rsa 4024 2
ssh-rsa 4026 2
ssh-rsa 4028 9
ssh-rsa 4029 1
ssh-rsa 4046 4
ssh-rsa 4048 139
ssh-rsa 4049 5
ssh-rsa 4056 8
ssh-rsa 4060 1
ssh-rsa 4062 1
ssh-rsa 4064 1
ssh-rsa 4065 1
ssh-rsa 4066 2
ssh-rsa 4068 3
ssh-rsa 4069 139
ssh-rsa 4072 1
ssh-rsa 4073 1
ssh-rsa 4076 1
ssh-rsa 4084 1
ssh-rsa 4086 48
ssh-rsa 4089 2
ssh-rsa 4090 19
ssh-rsa 4091 1
ssh-rsa 4092 46
ssh-rsa 4093 5
ssh-rsa 4094 17
ssh-rsa 4095 228
ssh-rsa 4096 227320
ssh-rsa 4097 25
ssh-rsa 4098 112
ssh-rsa 4099 4
ssh-rsa 4106 1
ssh-rsa 4111 1
ssh-rsa 4112 1
ssh-rsa 4113 2
ssh-rsa 4124 1
ssh-rsa 4192 10
ssh-rsa 4196 6
ssh-rsa 4224 1
ssh-rsa 4237 1
ssh-rsa 4238 1
ssh-rsa 4242 2
ssh-rsa 4292 1
ssh-rsa 4321 1
ssh-rsa 4384 1
ssh-rsa 4444 1
ssh-rsa 4500 1
ssh-rsa 4560 1
ssh-rsa 4567 1
ssh-rsa 4608 1
ssh-rsa 4609 1
ssh-rsa 4666 1
ssh-rsa 4696 1
ssh-rsa 4757 1
ssh-rsa 4777 1
ssh-rsa 4896 5
ssh-rsa 4906 45
ssh-rsa 4960 1
ssh-rsa 4986 1
ssh-rsa 4996 3
ssh-rsa 5000 3
ssh-rsa 5005 1
ssh-rsa 5012 1
ssh-rsa 5065 1
ssh-rsa 5076 1
ssh-rsa 5096 18
ssh-rsa 5120 26
ssh-rsa 5272 1
ssh-rsa 5555 2
ssh-rsa 5567 1
ssh-rsa 5568 1
ssh-rsa 5569 1
ssh-rsa 5571 1
ssh-rsa 6017 1
ssh-rsa 6096 1
ssh-rsa 6144 15
ssh-rsa 6192 2
ssh-rsa 6502 1
ssh-rsa 6666 2
ssh-rsa 6996 1
ssh-rsa 7000 1
ssh-rsa 7168 3
ssh-rsa 7424 1
ssh-rsa 7462 1
ssh-rsa 7680 3
ssh-rsa 7718 1
ssh-rsa 7896 1
ssh-rsa 8000 3
ssh-rsa 8012 1
ssh-rsa 8029 1
ssh-rsa 8092 11
ssh-rsa 8095 2
ssh-rsa 8096 63
ssh-rsa 8112 2
ssh-rsa 8128 2
ssh-rsa 8129 2
ssh-rsa 8172 2
ssh-rsa 8182 2
ssh-rsa 8184 3
ssh-rsa 8188 1
ssh-rsa 8191 13
ssh-rsa 8192 2081
ssh-rsa 8196 27
ssh-rsa 8198 1
ssh-rsa 8216 1
ssh-rsa 8420 1
ssh-rsa 8765 1
ssh-rsa 8912 2
ssh-rsa 9000 1
ssh-rsa 9001 1
ssh-rsa 9016 1
ssh-rsa 9046 2
ssh-rsa 9096 4
ssh-rsa 9192 1
ssh-rsa 9216 5
ssh-rsa 9999 2
ssh-rsa 10000 2
ssh-rsa 10004 1
ssh-rsa 10240 14
ssh-rsa 10960 2
ssh-rsa 12288 2
ssh-rsa 12300 1
ssh-rsa 15360 10
ssh-rsa 16096 2
ssh-rsa 16191 1
ssh-rsa 16192 1
ssh-rsa 16364 1
ssh-rsa 16383 1
ssh-rsa 16384 303
ssh-rsa 35000 1
ssh-ed25519 3980
ecdsa-sha2-nistp256 1125
ecdsa-sha2-nistp384 98
ecdsa-sha2-nistp521 1013
Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Spencer

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.