Ubuntu Python mysql google java Windows 程序员 Firefox linux php shell nginx linux命令 wordpress Android centos apache 微软 HTML5 开源

GitHub 要求全面检查 SSH Key

在 GitHub 被攻击成功后 (参考 GitHub 官方所说的「Public Key Security Vulnerability and Mitigation」这篇),官方除了把漏洞修补完以外,接下来做了更积极的措施:暂停所有的 ssh key 存取权限,一律等到用户 audit 确认过后才开放:「SSH Key Audit」。

这次 GitHub 除了修正问题、audit key 以外,另外还提出了新的机制让用户更容易发现异常存取行為,包括了:

  • 新增 SSH public key 时要输入密码。
  • 新增 SSH public key 成功后会寄信通知。
  • 新增「Security History」页面可以看到帐户的安全状况。

算是狠积极补救的作法。另外说明,要如何 audit key,也就是要如何取得你的 public key fingerprint:

ssh-keygen -lf .ssh/id_rsa.pub (如果你是用 RSA)
ssh-keygen -lf .ssh/id_dsa.pub (如果你是用 DSA)

出现的讯息就是你要比对的值。记住!既然是 audit,请一个一个比对确认 fingerprint 全部都正确。

附上原始信件:(好像还没在 blog 上说明)

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. as of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

# Required Action

Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

# Status

We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:

  • We are forcing an audit of all existing SSH keys
  • Adding a new SSH key will now prompt for your password
  • We will now email you any time a new SSH key is added to your account
  • You now have access to a log of account changes in your Account Settings page

Sincerely, The GitHub Team

— https://github.com support@github.com