This work exposes a long-overlooked security vulnerability in SSH client-side signature generation. Addressing the challenge of assessing client public keys and signatures—largely inaccessible to Internet-wide scanning—we systematically collect over 31.6 million publicly exposed SSH keys from GitHub and other platforms. Leveraging longitudinal analysis and black-box experiments, we evaluate the RSA, EdDSA, and ECDSA implementations across 24 mainstream SSH clients. Our analysis uncovers, for the first time, a deterministic nonce-generation flaw in PuTTY’s ECDSA implementation, enabling private-key recovery from just 58 signatures—prompting the CVE-2024-31497 patch. We further identify 98 short-length keys, 139 weak-randomness keys, and 149 keys containing small prime factors. This study advances SSH client signature security from opaque “black-box” assumptions toward quantifiable, empirical assessment, and empirically confirms EdDSA’s emergence as the dominant modern signature scheme.

Administrators and developers use SSH client keys and signatures for authentication, for example, to access internet backbone servers or to commit new code on platforms like GitHub. However, unlike servers, SSH clients cannot be measured through internet scans. We close this gap in two steps. First, we collect SSH client public keys. Such keys are regularly published by their owners on open development platforms like GitHub and GitLab. We systematize previous non-academic work by subjecting these keys to various security tests in a longitudinal study. Second, in a series of black-box lab experiments, we analyze the implementations of algorithms for SSH client signatures in 24 popular SSH clients for Linux, Windows, and macOS. We extracted 31,622,338 keys from three public sources in two scans. Compared to previous work, we see a clear tendency to abandon RSA signatures in favor of EdDSA signatures. Still, in January 2025, we found 98 broken short keys, 139 keys generated from weak randomness, and 149 keys with common or small factors-the large majority of the retrieved keys exposed no weakness. Weak randomness can not only compromise a secret key through its public key, but also through signatures. It is well-known that a bias in random nonces in ECDSA can reveal the secret key through public signatures. For the first time, we show that the use of deterministic nonces in ECDSA can also be dangerous: The private signing key of a PuTTY client can be recovered from just 58 valid signatures if ECDSA with NIST curve P-521 is used. PuTTY acknowledged our finding in CVE-2024-31497, and they subsequently replaced the nonce generation algorithm.