SSH automatically presents a public key to the server when trying to authenticate. If the server doesn't know that key, then SSH tries the next one. You can enumerate all of someone's keys this way (like https://blog.filippo.io/ssh-whoami-filippo-io/ SSH server does)
If you want to disable this sort of behaviour you can disable SSH from sending keys automatically, and then tell SSH which identity files need to be sent to each host.
In your .ssh/config, something like:
# Ignore SSH keys unless specified in Host subsection
IdentitiesOnly yes
# Send your public key to github only
Host github.com
IdentityFile ~/.ssh/id_rsa
With IdentitiesOnly, any explicitly configured via IdentityFile, or the default identity file if none are configured explicitly, is/are still sent. Using "-i /dev/null" in combination with IdentitiesOnly prevents that.
Interesting. If you're right, the manual leaves out the rather critical "or the default identity file" bit:
> Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities.
Serious question, what's the real harm in this since it's just public keys? Just allowing a server to discover all the other servers you may have been talking to?
In most cases, no real harm. However, it does give away some information about you which can be used to fingerprint you. This data is also, I'm 99% sure, transmitted in plaintext, so a passive adversary can gather this information as well. For most uses I wouldn't worry about it. But, if you're an attacker, say forcing your way onto an SSH server with a weak password, it can be a valuable source of information for identifying you.
> This data is also, I'm 99% sure, transmitted in plaintext
I was curious about this, so I did some research.
First, if you run `ssh -v`, you can see that there's a key exchange (eg, Diffie-Hellman), then a cipher and MAC are negotiated, and only once you get to the user authentication portion do your public keys get sent to the server.
So, only Alice and Bob can see the public keys: not Mallory.
Ah yes, you're right! I remembered there is some stuff transmitted in plaintext at the beginning, but it's just the normal SSL cipher-suite negotiation.
If you have multiple ssh keys, that can easily make you run out of login attempts. I have a key per server/client pair (because I'm weird), all stuffed into my ssh-agent, so that breaks basically all logins for me.
So, to stop it iterating through your keys for a single host, you have to specify IdentitiesOnly globally? That would explain why I couldn't make it work last time I tried it.
If I recall correctly, if you specify it for a single host, it tries all your default keys then tries the specified key if nothing else worked. Which seems weird and wrong to me, but what do I know. Anyway, thanks for (possibly) solving a mystery for me.
Configuration options may be separated by whitespace or
optional whitespace and exactly one `='; the latter format
is useful to avoid the need to quote whitespace when
specifying configuration options using the ssh, scp, and
sftp -o option.
I loved SE:L. But like many hacking-oriented shows (I'm looking at you, Mr.Robot) it felt a need to go out into weird philosphical "what is reality?" and psycological strangeness.
I would love to see something that stays with the stuff I actually like about them. Philosophy and psychological exploration can be fine but I would absolutely love to see a show like one of those that stays closer to the ground.
GitS is primarily cyberpunk as I see it rather than focused on hacking. Hacking is just an element. Lain is focused on philosophy, psychology and spiritual weirdness and uses technology for aesthetics and as a tool to explore the bigger themes.
I'd love something like a heist-movie that stays close to the keyboard, like the most techie and coherent parts of Mr. Robot.
I don't think the technology in Lain was merely aesthetic. Sure, it did not behave literally like real world technology, but its dynamics within the show mirror its more subtle dynamics in the real world in a very exaggerated way. It's essential to Lain that technology and spirituality form an alloy. And beneath the lofty spiritual themes, there's Lain's """personal""" psychology, a glimpse into the mind of a technological super-intelligence.
Human societies and technological infrastructure are already complex enough to behave sort of like intelligent beings. They comprise humans and machines but are inhuman and more than mechanical. I find Lain to be one of the most thought provoking examination of the psychology of such super-intelligence that I've enjoyed.
I've been hoping for a while that we'd get this kind of movie. And I do think we're getting closer to it. There are a few recent movies that provide hints about how a film could successfully capture a hacking experience:
- The research scenes in The Girl with the Dragon Tattoo.
- The texting scenes in Personal Shopper and House of Cards.
Does anyone have any other recommendations of close-to-the-keyboard style portrayals of communication, research, and hacking?
Is this The Girl with the Dragon Tattoo as in the american version? I haven't watched that, worthwhile?
Being from Sweden I did read the books and see the swedish films :)
The philosophy of GitS is more around "what is human identity?" but it does so through the conventional framework of the cyberpunk genre, and so those explorations into the mind are linked to technological advancement, and so, hacking is central.
This is exactly what I miss from tech/sci-fi - so much of it becomes increasingly philosophical and abstract instead of delivering (what I think) is a good solid intriguing plot.
I don't know if you watched any of the GitS TV series, but one was unwatchable because they kept on quoting French philosophers while virtual reality. Half an episode was essentially watching people argue on chat about something young me cared nothing about. DBZ was more entertaining at that point.
I've watched them all except the latest Arise prequel series. And yes, they definitely delved into too abstract a lot. Probably my favorite anime show but a good 25% could easily be cut out.
And GITS is not? I relate more with the Laughing Man than whatever the hell happens in SEL. You know the girl is dead and her spirit lives in a computer, right? SEL has more to do with spirituality than technology while GITS is almost exclusively tech and politics focused.
I had a chance to see the new movie a week ago and was pretty blown away by the levels of future-shock I experienced. I think they did a wonderful job building off the anime and manga to re-build the GITS world in live action. The first half of that movie had me enthralled at how good of a job was done here. I really think from set-design, costume, and setting perspectives this movie on par with visual feasts from the 70s/80s like Bladerunner, Dune, Star Wars, or Alien.
Story-wise its a poorly paced and milquetoast origin story that we've seen a million times. If this production had a more daring script I think we'd see the wisdom of trying to bring it to the big screen as live action. "Mindfuck" anime like SEL really isn't going to translate well, and trippy mindfuck stories have been beaten to death by now and are just another tiresome trope. Worse, it would have even less of an anticipated audience thus budget which would force the production into cheesy B-movie territory. Its also a non-existent franchise while GITS is an established fan favorite and for fairly valid reasons including a focus on the realpolitik of power, terrorism, technology, cybercrime, etc which a lot of other tech-oriented stories simply get wrong and lean far too often on a simplistic 'right vs wrong' moralism.
> I really think from set-design, costume, and setting perspectives this movie on par with visual feasts from the 70s/80s like Bladerunner, Dune, Star Wars, or Alien.
For those who haven't seen the live-action movie, Kotaku just put up an article showcasing some of the concept art:
>GITS is almost exclusively tech and politics focused
Tbh I really liked the spiritual themes from GitS. It's in the original movie, also in 2004 Innocence, and at the finale of 2008 Solid State Society (not going to make sense without seeing the whole anime series start to finish)
I think GiTS does a good job with its philosophical aspects, but GiTS doesn't only exist to sell a large philosophical thesis like SEL does. The philosophy is part of the over-all picture, and even then its a minority part. SEL is just a metaphor using computers for spirituality while GiTS very much is a traditional cyberpunk work. When Section 9 is called in to stop terrorists, its often not an excuse to pontificate on 'what is real,' often its about other themes like the weight of history and the causes of terror, the victims of a world where technology and politics changes so quickly, how hacking in a tech dominated world can be so disruptive, and how security forces and governments respond to these threats.
Also to be fair, when we look at the original movie, its more about AI rights than an avante-garde pondering of "dead waifus living in the ether" SEL is based on. I would classify these two things are completely different categories. One is a fairly rational take on the age old "Are AI alive" argument while the other is more or less fantasy dressed up as sci-fi.
I would also like to give a shout out to Texhnolyze and Haibane Renmei (pretty much the fantasy part of "Hard-Boiled Wonderland and the End of the World"), which have most of the same staff members from SE:L.
I never really connected "Haibane Renmei" to "Hard-Boiled Wonderland and the End of the World" but now that you mention it, the similarities are so striking. The enclosed city, the outsider lost in the 'no questions answered ever' plot, the vague feelings of past memories, the strange rituals that nobody finds strange.
I wish the new anime Yoshitoshi ABe was planning, Despera [0],would come out soon but that doesn't seem like the case.
SEL gets more than enough recognition and discussion. It is one of the top rated anime series of all time and in fact it's almost trite to discuss among anime cirles. Sure, it probably won't get a Hollywood adaptation (good), but it's not obscure or looked over.
It's also not really about hacking the way a "hacker" movie is.
I think Serial Experiments is a really important cultural artifact and was devilishly prescient about how the world will change as technology integrates more and more of the information we process into a coherent system.
Not to mention all the references to Apple, Unix, and NeXTSTEP. Such as the Whisper voice being used to speak the episode name and styling of the "To Be Continued" at the end of every episode.
Well, GitS is a much larger franchise. And most of it is quite good so it deserves its praise.
But I am checking out Serial Experiments Lain right now, thanks for the recommendation! I love GitS to death and it might be my favorite anime/manga franchise but it still feels a little bit too corny every time someone gets called a Super Wizard Class Hacker
Oh I love GitS, I just think it's the only anime that gets discussed in these circles, while others go unnoticed.
Another recommendation (though completely unrelated to the discussion) is Berserk, quite possibly the best anime/manga I have seen/read, and the manga really is a must-read after you finish the anime.
I think that was the joke. I was expecting something like that. Oooh, someone redid that for GitS? I stood there for a second processing how I just got pranked before I erupted in uproarious laughter.
If you want to disable this sort of behaviour you can disable SSH from sending keys automatically, and then tell SSH which identity files need to be sent to each host.
In your .ssh/config, something like:
https://news.ycombinator.com/item?id=10004678