GitHub 要求全面檢查 SSH Key

红薯
 红薯
发布于 2012年03月08日
收藏 2

在 GitHub 被攻擊成功後 (參考 GitHub 官方所說的「Public Key Security Vulnerability and Mitigation」這篇),官方除了把漏洞修補完以外,接下來做了更積極的措施:暫停所有的 SSH key 存取權限,一律等到用戶 audit 確認過後才開放:「SSH Key Audit」。

這次 GitHub 除了修正問題、audit key 以外,另外還提出了新的機制讓用戶更容易發現異常存取行為,包括了:

  • 新增 SSH public key 時要輸入密碼。
  • 新增 SSH public key 成功後會寄信通知。
  • 新增「Security History」頁面可以看到帳戶的安全狀況。

算是很積極補救的作法。

另外說明,要如何 audit key,也就是要如何取得你的 public key fingerprint:

ssh-keygen -lf .ssh/id_rsa.pub (如果你是用 RSA)
或是
ssh-keygen -lf .ssh/id_dsa.pub (如果你是用 DSA)

出現的訊息就是你要比對的值。記住!既然是 audit,請一個一個比對確認 fingerprint 全部都正確。

附上原始信件:(好像還沒在 blog 上說明)

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

# Required Action

Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

# Status

We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:

- We are forcing an audit of all existing SSH keys
- Adding a new SSH key will now prompt for your password
- We will now email you any time a new SSH key is added to your account
- You now have access to a log of account changes in your Account Settings page
Sincerely, The GitHub Team

— https://github.com support@github.com

文/gslin.org

本站文章除注明转载外,均为本站原创或编译。欢迎任何形式的转载,但请务必注明出处,尊重他人劳动共创开源社区。
转载请注明:文章转载自 OSCHINA 社区 [http://www.oschina.net]
本文标题:GitHub 要求全面檢查 SSH Key
加载中

最新评论(19

ddatsh
ddatsh
群英汇蒋鑫:GitHub的危机紧急响应做的很赞。先收到邮件告知GitHub存在公钥注入风险,再发现公钥认证失效,然后登录GitHub确认公钥有效性以便重新建立授权。
f
fooling
收到邮件, 让人放心
yyliu
yyliu
刚收到邮件,从来都是https用github的
aiasfina
aiasfina
今天用SSH的时候提示了..
RickyFeng
RickyFeng

引用来自“hokim”的评论

也收到邮件了

SSH KEY 我有加密码,拿到我的Public key也改不了资料
hokim
hokim
也收到邮件了
ValueError
ValueError
表示被强制重新导入了公钥
答复哈
答复哈
搞掂~
返回顶部
顶部