

GitHub SSH key audit - spicyj

Just got this email:<p><pre><code>  A security vulnerability was recently discovered that made it possible
  for an attacker to add new SSH keys to arbitrary GitHub user accounts.
  This would have provided an attacker with clone/pull access to
  repositories with read permissions, and clone/pull/push access to
  repositories with write permissions. As of 5:53 PM UTC on Sunday,
  March 4th the vulnerability no longer exists.

  While no known malicious activity has been reported, we are taking
  additional precautions by forcing an audit of all existing SSH keys.

  # Required Action

  Since you have one or more SSH keys associated with your GitHub
  account you must visit https://github.com/settings/ssh/audit to
  approve each valid SSH key.

  Until you have approved your SSH keys, you will be unable to
  clone/pull/push your repositories over SSH.

  # Status

  We take security seriously and recognize this never should have
  happened. In addition to a full code audit, we have taken the
  following measures to enhance the security of your account:

  - We are forcing an audit of all existing SSH keys
  - Adding a new SSH key will now prompt for your password
  - We will now email you any time a new SSH key is added to your
    account
  - You now have access to a log of account changes in your Account
    Settings page
  Sincerely, The GitHub Team

  --- https://github.com support@github.com</code></pre>
======
ldh
I wasn't sure how to verify that I recognized my keys at first. To save anyone
else a bit of time googling, you want to run "ssh-keygen -lf your_key.pub"
against your local copy of the key to generate the fingerprint and compare
that to what GitHub shows you.

------
jgrahamc
It would be interesting to hear about what the vulnerability was. Was this yet
another Rails-related security problem?

~~~
spicyj
Did you miss the posts from the last few days?

<https://gist.github.com/1978249>

