Skip to content

BaseMax/ghostkey-ssh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.go
app.go
 
 

Repository files navigation

ghostkey-ssh

A lightweight SSH probing utility that tests whether a target server accepts a given public key, without requiring a valid private key.

Useful for:

  • Security auditing
  • Infrastructure validation
  • Detecting misconfigured SSH access policies

Built in Go using low-level SSH primitives for precise control over the authentication flow.

✨ Features

  • 🔑 Test SSH public key acceptance without private key
  • ⚡ Concurrent scanning (worker pool)
  • 🎯 Multiple targets support
  • 🧠 Smart detection based on SSH auth flow
  • 🛠 Simple CLI interface
  • 🧩 Clean and extensible codebase

⚙️ How It Works

ghostkey-ssh exploits a behavior in the SSH protocol:

The client is asked to sign data only if the server accepts the public key.

This tool uses a custom DummySigner:

  • If Sign() is called → ✅ key is accepted
  • If not → ❌ key is rejected

No valid signature is required — making this a non-invasive probe.

🚀 Installation

git clone https://github.com/BaseMax/ghostkey-ssh.git
cd ghostkey-ssh
go build -o ghostkey-ssh app.go

🧪 Usage

./ghostkey-ssh \
  -target 192.168.1.1:22 \
  -user root \
  -pubkey "ssh-ed25519 AAAA..." \
  -workers 10

Multiple targets

./ghostkey-ssh \
  -target 192.168.1.2:22,192.168.1.3:22 \
  -pubkey "ssh-ed25519 AAAA..."

⚙️ Flags

Flag Description
-target Target (ip:port) or comma-separated list
-user SSH username (default: root)
-pubkey Public key (authorized_keys format)
-timeout Connection timeout (default: 5s)
-workers Number of concurrent workers (default: 10)

📊 Output

[+] 192.168.1.1:22 → ACCEPTED
[ ] 192.168.1.2:22 → REJECTED
[-] 192.168.1.3:22 → ERROR: network error

Legend:

  • [+] → Public key accepted
  • [ ] → Public key rejected
  • [-] → Connection or protocol error

⚠️ Limitations

  • Relies on OpenSSH-compatible behavior
  • Some hardened SSH servers may not follow standard flow
  • Does not verify host keys (InsecureIgnoreHostKey is used)
  • Not a replacement for full authentication testing

🔐 Security Notice

This tool is intended for:

  • Authorized security assessments
  • Internal infrastructure validation

Do not use against systems you do not own or have permission to test.

🛣 Roadmap

  • CIDR / subnet scanning
  • JSON output support
  • Public key file input
  • SSH banner fingerprinting
  • Proxy (SOCKS5) support
  • Rate limiting / stealth mode

🤝 Contributing

PRs, issues, and ideas are welcome.

If you’re building on top of this, feel free to fork and extend.

🧠 Philosophy

Keep it simple.

Keep it low-level.

Expose real protocol behavior — not abstractions.

📄 License

MIT License

Copyright (c) 2026

Seyyed Ali Mohammadiyeh

About

A lightweight SSH probing utility that tests whether a target server accepts a given public key, without requiring a valid private key. Useful for security auditing, infrastructure validation, and detecting misconfigured SSH access policies. Built in Go using low-level SSH primitives for precise control over authentication flow.

Topics

go ssh golang ssh-server key public-key ssh-key ssh-client openssh publickey privatekey private-key go-ssh ssh-go ssh-golang

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages