gh-audit-org-keys

The point of this project is to help demonstrate that users of GitHub could potentially fall victim to getting their private SSH key cracked. This based on the size and complexity of the key the user generates.

Programs like ssh2john from John the Ripper can best demonstrate how fast an SSH private key can be solved from a not so complex algorithm with low key lengths (think RSA < 1024 bits).

Installation

1. Install the gh cli - see the installation

   Installation requires a minimum version (2.0.0) of the GitHub CLI that supports extensions.

2. Install this extension:

   gh extension install jef/gh-audit-org-keys

Manual Installation

Requirements: cli/cli and go.

1. Clone the repository

   # git
   git clone git@github.com:jef/gh-audit-org-keys.git
   
   # GitHub CLI
   gh repo clone jef/gh-audit-org-keys

2. cd into it

   cd gh-audit-org-keys

3. Build it

   make build

4. Install it locally

   gh extension install .

Usage

To run:

gh audit-org-keys

To upgrade:

gh extension upgrade audit-org-keys

Examples

• gh audit-org-keys --organization="actions"
• gh audit-org-keys --organization="actions" --show-users="all"

Acknowledgments

• Auditing GitHub users’ SSH key quality
• Openwall - John the Ripper
  • magnumripper/JohnTheRipper