A ssh server that knows who you are. $ ssh whoami.filippo.io
37 points
22 hours ago
| 4 comments
| github.com
| HN
pseudohadamard
14 hours ago
[-]
It's an artefact of OpenSSH braindamage, like a WiFi device spraying probe requests OpenSSH sprays all of your keys to any server it connects to and then takes whatever the server responds with as the one to auth. There's a CVE for this, CVE-2016-20012, but the OpenSSH maintainers rejected it as by-design, https://github.com/openssh/openssh-portable/pull/270.
reply
FiloSottile
5 hours ago
[-]
If that PR were merged, whoami.filippo.io would still work the same. It would just receive signed requests instead of queries.
reply
gnabgib
22 hours ago
[-]
Popular in 2023 (240 points, 81 comments) https://news.ycombinator.com/item?id=34301768
reply
fragmede
5 hours ago
[-]
Yes, but telling people to run

    ssh -o IdentityAgent=/dev/null -v  -o IdentityFile=/dev/null funky.nondeterministic.computer
instead of just

     ssh funky.nondeterministic.computer
is harder to sell.
reply
locke3891
1 hour ago
[-]
For those that care about privacy, couldn't you just use an alias? alias ssh='ssh -o IdentityAgent=/dev/null -o IdentityFile=/dev/null -v' then you can do ssh funky.nondeterministic.computer and get the same functionality.
reply
seg_lol
14 hours ago
[-]
It has downloaded every public key from github?

I would use this trick to add them to my test clusters.

reply