Print this Post

GitHub – SSH Key Vulnerability

Just received an email from github about SSH Key Vulnerability. It was not an attempt to breakdown the github though. But, nobody took Homakov’s concern seriously. So, he did it. I just wanted to give him a big shout out for helping to make github stronger.

So, I’m going to approve all my public SSH keys..

Here is the mail I’ve received.

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

# Required Action

Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

# Status

We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:

– We are forcing an audit of all existing SSH keys
– Adding a new SSH key will now prompt for your password
– We will now email you any time a new SSH key is added to your account
– You now have access to a log of account changes in your Account Settings page

Sincerely, The GitHub Team

— https://github.com support@github.com

Short Link:

About the author

Prasanna SP

Student | WordPress Dev | Tech Blogger | Interested in GNU/Linux, FOSS, PHP, Drupal, WordPress, Ethical hacking, Photography, Painting, Literature etc..

Permanent link to this article: http://www.prasannasp.net/github-ssh-key-vulnerability/

Leave a Reply

Your email address will not be published. Required fields are marked *

Please put your code snippet between <code> and </code>. Comment moderation is in use. Please do not submit your comment twice -- it will appear shortly.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.