0xdeadbeefnetwork/ssh-keysign-pwn — explained in plain English
Analysis updated 2026-05-18
Reproduce a documented Linux kernel privilege escalation bug for security research or teaching.
Test whether a Linux system is still vulnerable to the pre-fix ptrace_may_access race condition.
Study how file descriptor theft during process exit can bypass permission checks.
| 0xdeadbeefnetwork/ssh-keysign-pwn | ammarkov/sam3dbody-cpp | 21cncstudio/project_aura | |
|---|---|---|---|
| Stars | 514 | 563 | 617 |
| Language | C | C | C |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 4/5 | 5/5 | 3/5 |
| Audience | researcher | researcher | general |
Figures from each repo's GitHub metadata at analysis time.
Requires a C compiler and a vulnerable pre-patch Linux kernel to reproduce the exploit.
This project is a proof of concept exploit for a Linux kernel bug that let an unprivileged user read files owned by root, including SSH host private keys and the system password file. The bug lived in a kernel function called ptrace_may_access. Normally that function checks whether a process is allowed to access another process's memory and file descriptors, but the check was skipped during a specific moment while a process was exiting, right after its memory map was cleared but before its open file descriptors were closed. During that narrow window, a matching user id could grab a file descriptor from the exiting process using a system call called pidfd_getfd, effectively stealing access to files the exiting process had open, even ones it no longer had permission to touch. The repository includes two ready made tools. One targets the ssh-keysign helper program, which briefly opens the server's SSH host key files before dropping its privileges, and pulls those keys out during the race window. The other targets the chage command, which is used to check password aging information, and captures the contents of the shadow file where password hashes are stored. Both work by repeatedly triggering the target program and racing to catch it in the vulnerable moment, with the README reporting successful hits within a few thousand attempts on tested systems including several current versions of Debian, Ubuntu, Raspberry Pi OS, Arch, and CentOS. A third component lets someone test the technique in a controlled way using a small sample program included in the repo, showing the difference between failed access while the target is running and successful theft right after it is killed. This is a security research and educational tool documenting a real, since fixed kernel vulnerability with an assigned CVE identifier. It requires compiling C code with a standard toolchain and running it on an affected Linux system. The README does not describe any patched version protection or safety guardrails, so it should only be used on systems the reader owns or is authorized to test.
A proof of concept tool that exploits a since fixed Linux kernel race condition to steal SSH host keys and password hashes from root owned files.
Mainly C. The stack also includes C, Linux Kernel, Make.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.