The point of this project is to help demonstrate that users of GitHub could potentially fall victim to getting their private SSH key cracked. This based on the size and complexity of the key the user generates.
Programs like ssh2john from John the Ripper can best demonstrate how fast an SSH private key can be solved from a not so complex algorithm with low key lengths (think RSA < 1024 bits).
go get -u github.com/jef/audit-org-keys
Also available under GitHub Releases as an executable.
It is required that you use a GitHub Personal Access Token (PAT). You can generate one here. The required scopes are ['read:org']. Set your PAT to environment variable GITHUB_TOKEN. If GITHUB_TOKEN isn't set, then you may not get the results you expect.
Usage of audit_org_keys:
-o, --organization string [required] GitHub organization provided to inspect
-s, --show-users all display users with filter (all, `with`, `without`, `multiple`)audit-org-keys --organization="actions"audit-org-keys --organization="actions" --show-users="all"
| Tag | Description |
|---|---|
latest |
Built against tagged releases; stable |
nightly |
Built against HEAD; generally considered stable, but could have problems |