

Ask HN: Github SSH Key Vulnerability Email Real or Hoax? - RyanMcGreal

I just received an email from support@github.com (see below). Is this real or a hoax?<p>------<p>A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.<p>While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.<p># Required Action<p>Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.<p>Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.<p># Status<p>We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:<p>- We are forcing an audit of all existing SSH keys
- Adding a new SSH key will now prompt for your password
- We will now email you any time a new SSH key is added to your account
- You now have access to a log of account changes in your Account Settings page<p>Sincerely, The GitHub Team<p>--- https://github.com support@github.com
======
EJE
<https://github.com/settings/ssh/audit> link to site

submitted hn link <http://news.ycombinator.com/item?id=3676471>

------
cd34
If you don't remember how to generate the fingerprint for your key:

    
    
        ssh-keygen -lf .ssh/id_dsa
    

or

    
    
        ssh-keygen -lf .ssh/id_rsa

------
dawsdesign
It's real, they show each of your keys and ask to approve each one.

------
senthilnayagam
I too got a mail, think it is genuine

------
gry
If pull from a Githb repo, it prompts you to audit your keys as well.

