The point of this project is to help demonstrate that users of GitHub could potentially fall victim to getting their private SSH key cracked. This based on the size and complexity of the key the user generates.
Programs like ssh2john from John the Ripper can best demonstrate how fast an SSH private key can be solved from a not so complex algorithm with low key lengths (think RSA < 1024 bits).
| Tag | Description |
|---|---|
latest |
Built against tagged releases; stable |
nightly |
Built against HEAD; generally considered stable, but could have problems |
GITHUB_ORGANIZATION=actions
GITHUB_PAT=mysecrettoken
docker run --rm -it \
--env "GITHUB_ORGANIZATION=$GITHUB_ORGANIZATION" \
--env "GITHUB_PAT=$GITHUB_PAT" \
"docker.pkg.github.com/jef/audit-org-keys/audit-org-keys:<tag>"
π View Available arguments and Available environment variables below if you'd like to customize input and output
- Go 1.14+ or Docker
GITHUB_ORGANIZATION=actions
GITHUB_PAT=mysecrettoken
# Golang
go build
./audit-org-keys
# show users with multiple keys
./audit-org-keys -show-users=multiple
# Docker
docker build -t audit-org-keys:localhost .
docker run --rm -it \
--env "GITHUB_ORGANIZATION=$GITHUB_ORGANIZATION" \
--env "GITHUB_PAT=$GITHUB_PAT" \
audit-org-keys:localhost
# show users without keys
docker run --rm -it \
--env "GITHUB_ORGANIZATION=$GITHUB_ORGANIZATION" \
--env "GITHUB_PAT=$GITHUB_PAT" \
audit-org-keys:localhost -show-users=without-show-users=<filter>: display users with filter (all,with,without,multiple)
GITHUB_ORGANIZATION*: The organization under auditGITHUB_PAT*: GitHub Personal Access Token- Create a PAT with
read:orgscope - Some organizations have SSO; if yours does, then you also need to enable it
- Create a PAT with
LOG_LEVEL: Sets zap log level
π Required denoted by
*