0xdeadbeefnetwork/ssh-keysign-pwn

Name: 0xdeadbeefnetwork/ssh-keysign-pwn
Rating: 4.5 (85 reviews)

Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.

693

Traction Score

Forks

May 14, 2026

Launch Date

View Origin Link

Product Positioning & Context

Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.

Related Ecosystem & Alternatives

Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.

Deep-Dive FAQs

What is 0xdeadbeefnetwork/ssh-keysign-pwn?

0xdeadbeefnetwork/ssh-keysign-pwn is a digital product or tool described as: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.

Where did 0xdeadbeefnetwork/ssh-keysign-pwn originate?

Data for 0xdeadbeefnetwork/ssh-keysign-pwn was aggregated directly from the GitHub Open Source community ecosystem, representing raw developer and early-adopter sentiment.

When was 0xdeadbeefnetwork/ssh-keysign-pwn publicly launched?

The initial public indexing or launch date for 0xdeadbeefnetwork/ssh-keysign-pwn within our tracked developer communities was recorded on May 14, 2026.

How popular is 0xdeadbeefnetwork/ssh-keysign-pwn?

0xdeadbeefnetwork/ssh-keysign-pwn has achieved measurable traction, logging over 693 traction score and facilitating 85 recorded discussions or engagements.

Are there active development issues for 0xdeadbeefnetwork/ssh-keysign-pwn?

Yes, we are currently tracking open architectural debates and bug reports for this project on GitHub. There are currently 2 active high-priority issues logged recently.

How does the creator describe 0xdeadbeefnetwork/ssh-keysign-pwn?

The original author or development team describes the product as follows: "Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels."

Active Developer Issues (GitHub)

open `kernel.yama.ptrace_scope = 2` looks like a promising way to mitigate

Logged: May 15, 2026

open Is this actually fixed in any stable release?

Logged: May 15, 2026

Community Voice & Feedback

WMP • May 15, 2026

```
chmod u-s /usr/bin/chage
chmod u-s /usr/libexec/ssh-keysign
chmod u-s /usr/libexec/openssh/ssh-keysign
chmod u-s /usr/lib/ssh/ssh-keysign
chmod u-s /usr/lib/openssh/ssh-keysign
```

Only chage should cause a bit of trouble for modern systems; ssh-keysign should not be used anywhere on a modern system.

0xdeadbeefnetwork • May 15, 2026

https://www.openwall.com/lists/oss-security/2026/05/15/5

mty22 • May 15, 2026

Ah, that sucks. Good find @brianmay.

At least while testing, it did prevent the POC noted in this github repo on Alma9 and Alma10.

brianmay • May 15, 2026

https://www.openwall.com/lists/oss-security/2026/05/15/3

"Please note that despite the commit title and contents, it is not
exclusive to ptrace, and ptrace restriction mechanisms will not help
here."

mty22 • May 15, 2026

Doesn't appear to be. At least it looks like we can mitigate this via:

```
sysctl -w kernel.yama.ptrace_scope=2
```

Tested it on `6.12.0-124.49.1.el10_1.x86_64`

https://www.kernel.org/doc/Documentation/security/Yama.txt

Do not blindly paste that as non-root user things which utilise ptrace will effectively break.

Edit again - see: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/issues/1#issuecomment-4461497067

Discovery Source

GitHub Open Source

Aggregated via automated community intelligence tracking.

Tech Stack Dependencies

No direct open-source NPM package mentions detected in the product documentation.

Media Tractions & Mentions

No mainstream media stories specifically mentioning this product name have been intercepted yet.

Deep Research & Science

No direct peer-reviewed scientific literature matched with this product's architecture.