finds.dev← search

// the find

FiloSottile/whoami.filippo.io

★ 2,356 · Go · ISC · updated Apr 2026

A ssh server that knows who you are. $ ssh whoami.filippo.io

A Go SSH server that identifies who you are by collecting the public keys your SSH client offers during authentication, then cross-referencing them against a dataset of GitHub users' public keys. It is a clever proof-of-concept demonstrating a real and underappreciated privacy leak in how SSH client authentication works. Useful for anyone learning SSH protocol internals or thinking about public key hygiene.

The core mechanism is genuinely clever — abusing the SSH authentication handshake to enumerate client keys is not obvious, and seeing it implemented cleanly in ~200 lines of Go makes the vulnerability tangible. The README immediately tells you how to stop it, which is unusually honest for a demo project. Using golang.org/x/crypto/ssh directly (no framework) keeps the code readable and the protocol behavior explicit. Deploying on Fly.io with a simple fly.toml means the infrastructure is trivial to replicate.

The GitHub key dataset it relies on is a third-party static snapshot from Ben Cox — if that data goes stale or the lookup service disappears, identification stops working without any fallback. The lookup logic (cmd/lookup) is separate from the server and the coupling between them is implicit, so modifying the identification strategy requires understanding both. There is no test coverage visible in the tree. This is fundamentally a demo, not a library — you cannot reuse the key-enumeration technique without forking the whole thing.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →