0xdeadbeefnetwork/ssh-keysign-pwn
Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.
View Origin LinkProduct Positioning & Context
Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.
Related Ecosystem & Alternatives
Discover adjacent products, open-source repositories, and developer tools sharing similar technical architecture.
Deep-Dive FAQs
What is 0xdeadbeefnetwork/ssh-keysign-pwn?
0xdeadbeefnetwork/ssh-keysign-pwn is a digital product or tool described as: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.
Where did 0xdeadbeefnetwork/ssh-keysign-pwn originate?
Data for 0xdeadbeefnetwork/ssh-keysign-pwn was aggregated directly from the GitHub Open Source community ecosystem, representing raw developer and early-adopter sentiment.
When was 0xdeadbeefnetwork/ssh-keysign-pwn publicly launched?
The initial public indexing or launch date for 0xdeadbeefnetwork/ssh-keysign-pwn within our tracked developer communities was recorded on May 14, 2026.
How popular is 0xdeadbeefnetwork/ssh-keysign-pwn?
0xdeadbeefnetwork/ssh-keysign-pwn has achieved measurable traction, logging over 693 traction score and facilitating 85 recorded discussions or engagements.
Are there active development issues for 0xdeadbeefnetwork/ssh-keysign-pwn?
Yes, we are currently tracking open architectural debates and bug reports for this project on GitHub. There are currently 2 active high-priority issues logged recently.
How does the creator describe 0xdeadbeefnetwork/ssh-keysign-pwn?
The original author or development team describes the product as follows: "Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels."
Active Developer Issues (GitHub)
Logged: May 15, 2026
Logged: May 15, 2026
Community Voice & Feedback
>apparently it does not block all cases https://www.openwall.com/lists/oss-security/2026/05/15/5
The [reply to that post from Qualsys](https://www.openwall.com/lists/oss-security/2026/05/15/8) indicates that it actually does block all known cases, and it's likely to block all of them. The reason is this note in the [pidfd_getfd man page](https://man7.org/linux/man-pages/man2/pidfd_getfd.2.html):
>The ability to use pidfd_getfd() is restricted by a PTRACE_MODE_ATTACH_REALCREDS ptrace access mode check.
Setting `/proc/sys/kernel/yama/ptrace_scope` to `2` removes that ability. From the [ptrace man page](https://man.archlinux.org/man/ptrace.2.en), setting it to `2` means:
>Only processes with the CAP_SYS_PTRACE capability in the user namespace of the target process may perform PTRACE_MODE_ATTACH operations
That said, the comment after that is probably relevant:
>With respect to values 1 and 2, note that creating a new user namespace effectively removes the protection offered by Yama....
The [reply to that post from Qualsys](https://www.openwall.com/lists/oss-security/2026/05/15/8) indicates that it actually does block all known cases, and it's likely to block all of them. The reason is this note in the [pidfd_getfd man page](https://man7.org/linux/man-pages/man2/pidfd_getfd.2.html):
>The ability to use pidfd_getfd() is restricted by a PTRACE_MODE_ATTACH_REALCREDS ptrace access mode check.
Setting `/proc/sys/kernel/yama/ptrace_scope` to `2` removes that ability. From the [ptrace man page](https://man.archlinux.org/man/ptrace.2.en), setting it to `2` means:
>Only processes with the CAP_SYS_PTRACE capability in the user namespace of the target process may perform PTRACE_MODE_ATTACH operations
That said, the comment after that is probably relevant:
>With respect to values 1 and 2, note that creating a new user namespace effectively removes the protection offered by Yama....
See https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/issues/4, apparently it does not block all cases https://www.openwall.com/lists/oss-security/2026/05/15/5
```
chmod u-s /usr/bin/chage
chmod u-s /usr/libexec/ssh-keysign
chmod u-s /usr/libexec/openssh/ssh-keysign
chmod u-s /usr/lib/ssh/ssh-keysign
chmod u-s /usr/lib/openssh/ssh-keysign
```
Only chage should cause a bit of trouble for modern systems; ssh-keysign should not be used anywhere on a modern system.
chmod u-s /usr/bin/chage
chmod u-s /usr/libexec/ssh-keysign
chmod u-s /usr/libexec/openssh/ssh-keysign
chmod u-s /usr/lib/ssh/ssh-keysign
chmod u-s /usr/lib/openssh/ssh-keysign
```
Only chage should cause a bit of trouble for modern systems; ssh-keysign should not be used anywhere on a modern system.
https://www.openwall.com/lists/oss-security/2026/05/15/5
Ah, that sucks. Good find @brianmay.
At least while testing, it did prevent the POC noted in this github repo on Alma9 and Alma10.
At least while testing, it did prevent the POC noted in this github repo on Alma9 and Alma10.
https://www.openwall.com/lists/oss-security/2026/05/15/3
"Please note that despite the commit title and contents, it is not
exclusive to ptrace, and ptrace restriction mechanisms will not help
here."
"Please note that despite the commit title and contents, it is not
exclusive to ptrace, and ptrace restriction mechanisms will not help
here."
Doesn't appear to be. At least it looks like we can mitigate this via:
```
sysctl -w kernel.yama.ptrace_scope=2
```
Tested it on `6.12.0-124.49.1.el10_1.x86_64`
https://www.kernel.org/doc/Documentation/security/Yama.txt
Do not blindly paste that as non-root user things which utilise ptrace will effectively break.
Edit again - see: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/issues/1#issuecomment-4461497067
```
sysctl -w kernel.yama.ptrace_scope=2
```
Tested it on `6.12.0-124.49.1.el10_1.x86_64`
https://www.kernel.org/doc/Documentation/security/Yama.txt
Do not blindly paste that as non-root user things which utilise ptrace will effectively break.
Edit again - see: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/issues/1#issuecomment-4461497067
Discovery Source
GitHub Open Source Aggregated via automated community intelligence tracking.
Tech Stack Dependencies
No direct open-source NPM package mentions detected in the product documentation.
Media Tractions & Mentions
No mainstream media stories specifically mentioning this product name have been intercepted yet.
Deep Research & Science
No direct peer-reviewed scientific literature matched with this product's architecture.
SaaS Metrics