Question 1

How does SSH key enumeration actually work?

Accepted Answer

During SSH public key authentication, the client sends all installed public keys to the server sequentially until one is accepted. This server captures those keys without accepting any, as described in the README, to demonstrate how identity can be leaked.

Question 2

Is it safe to connect to whoami.filippo.io?

Accepted Answer

Yes, it's harmless—the server only enumerates keys and displays your GitHub info before closing the connection, with no data storage or malicious intent, as noted in the 'Try it' section. Always verify the SSH fingerprints provided.

Question 3

How can I stop SSH from sending all my public keys?

Accepted Answer

Add 'PubkeyAuthentication no' and 'IdentitiesOnly yes' to your SSH config under 'Host *', then specify keys per host, as detailed in the README's 'How do I stop it?' section to limit key exposure.

Question 4

What's the difference between this and a normal SSH server?

Accepted Answer

Normal SSH servers authenticate keys for access, while this one only enumerates them for demonstration—it doesn't allow shell sessions or commands, focusing solely on identity retrieval via GitHub data.

Question 5

Does whoami.filippo.io work with all SSH key types like RSA or ED25519?

Accepted Answer

Yes, it supports common key types; the README lists ED25519 and RSA fingerprints, and it uses Go's crypto/ssh library to handle various keys presented during authentication attempts.

Question 6

SSH key enumeration vs password authentication: which is riskier?

Accepted Answer

Key enumeration can leak identity without brute force, while passwords risk guessing attacks. This demo shows keys can be linked to public profiles like GitHub, whereas passwords offer anonymity but weaker security if reused.

Question 7

How to set up a similar SSH server for educational purposes?

Accepted Answer

Use the Go source code from GitHub, modify server.go to adapt the authentication logic, and ensure access to a key dataset—but note it's for demo only, not production, as per the project's educational focus.

whosthere

What is whosthere?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions