Random thoughts of a warped mind…

March 7, 2012

How to verify your SSH keys at github (after their mar 4 breach)

Filed under: All,Development,Git,Ruby — Srinivas @ 13:49

As most users of Github would know, Github had a security breach on March 4, 2012 due to a whitehat exploit (See Github pub key verification) for details. For those into Ruby, Mass assignment in Rails is a good read as well. This exploit allows the attacker to add his public key to any existing repo and push/drop files from it.


As part of fixing this issue, Github requires all users using SSH transport to verify that the key(s) they have at Github are indeed theirs – until you verify this, all clone/pull/push from your account to Github would be disabled.
How do you verify the keys? Login to Github, go into your Accounts/SSH setup and you will see something like this:

Github key audit screen

Github key audit screen

Make a note of the fingerprint listed above (the hex number).

Now on your machine, do the following to dump your SSH keys fingerprint:
If you don’t have the public key file, generate one (from your private key):

ssh-keygen -y -f ~/.ssh/id_rsa > /tmp/id_rsa.pub

Now that you have your Public key, dump the key fingerprint to screen:

ssh-keygen -l -f /tmp/id_rsa.pub
2048 98:12:e3:5a:4a:fc:df:83:c2:72:4f:37:1d:27:3a:88 /tmp/id_rsa.pub (RSA)

(In the listing above, 2048 is your key size in bits that you defined when you generated it… the next field is the key fingerprint).

If the fingerprint listed on on the Github audit page matches your local keys fingerprint, go ahead and approve it. If it does’nt your keys have been compromised – go verify your repos to make sure nothing got added/deleted by anyone outside your team!

Powered by WordPress