whatisgithub

What is ssh-keysign-pwn?

0xdeadbeefnetwork/ssh-keysign-pwn — explained in plain English

Analysis updated 2026-05-18

514CAudience · researcherComplexity · 4/5Setup · moderate

In one sentence

A proof of concept tool that exploits a since fixed Linux kernel race condition to steal SSH host keys and password hashes from root owned files.

Mindmap

mindmap
  root((ssh-keysign-pwn))
    What it does
      Steals root files
      Races process exit
      Uses pidfd_getfd
    Targets
      SSH host keys
      etc shadow file
    Tech stack
      C
      Linux kernel
      Make
    Audience
      Security researchers
      Kernel developers
    Requirements
      Vulnerable kernel
      C toolchain
    Status
      CVE assigned
      Bug now fixed

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Reproduce a documented Linux kernel privilege escalation bug for security research or teaching.

USE CASE 2

Test whether a Linux system is still vulnerable to the pre-fix ptrace_may_access race condition.

USE CASE 3

Study how file descriptor theft during process exit can bypass permission checks.

What is it built with?

CLinux KernelMake

How does it compare?

0xdeadbeefnetwork/ssh-keysign-pwnammarkov/sam3dbody-cpp21cncstudio/project_aura
Stars514563617
LanguageCCC
Setup difficultymoderatehardmoderate
Complexity4/55/53/5
Audienceresearcherresearchergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires a C compiler and a vulnerable pre-patch Linux kernel to reproduce the exploit.

So what is it?

This project is a proof of concept exploit for a Linux kernel bug that let an unprivileged user read files owned by root, including SSH host private keys and the system password file. The bug lived in a kernel function called ptrace_may_access. Normally that function checks whether a process is allowed to access another process's memory and file descriptors, but the check was skipped during a specific moment while a process was exiting, right after its memory map was cleared but before its open file descriptors were closed. During that narrow window, a matching user id could grab a file descriptor from the exiting process using a system call called pidfd_getfd, effectively stealing access to files the exiting process had open, even ones it no longer had permission to touch. The repository includes two ready made tools. One targets the ssh-keysign helper program, which briefly opens the server's SSH host key files before dropping its privileges, and pulls those keys out during the race window. The other targets the chage command, which is used to check password aging information, and captures the contents of the shadow file where password hashes are stored. Both work by repeatedly triggering the target program and racing to catch it in the vulnerable moment, with the README reporting successful hits within a few thousand attempts on tested systems including several current versions of Debian, Ubuntu, Raspberry Pi OS, Arch, and CentOS. A third component lets someone test the technique in a controlled way using a small sample program included in the repo, showing the difference between failed access while the target is running and successful theft right after it is killed. This is a security research and educational tool documenting a real, since fixed kernel vulnerability with an assigned CVE identifier. It requires compiling C code with a standard toolchain and running it on an affected Linux system. The README does not describe any patched version protection or safety guardrails, so it should only be used on systems the reader owns or is authorized to test.

Copy-paste prompts

Prompt 1
Explain step by step how the ptrace_may_access race condition in this repo lets an unprivileged user steal root owned files.
Prompt 2
Walk me through building and running sshkeysign_pwn and chage_pwn from this repo on a test Linux VM.
Prompt 3
Summarize the timeline of this vulnerability from Jann Horn's 2020 report to the 2026 fix, based on this README.
Prompt 4
What precautions should I take before running this exploit code, and how do I confirm my kernel is patched?

Frequently asked questions

What is ssh-keysign-pwn?

A proof of concept tool that exploits a since fixed Linux kernel race condition to steal SSH host keys and password hashes from root owned files.

What language is ssh-keysign-pwn written in?

Mainly C. The stack also includes C, Linux Kernel, Make.

How hard is ssh-keysign-pwn to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is ssh-keysign-pwn for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.