GitHub 要求全面檢查 SSH Key
在
GitHub 由于 Rails 漏洞被攻擊后,官方除了把漏洞修補完以外,接下來做了更積極的措施:
暫停所有的 SSH key 存取權限,一律等到用戶 audit 確認過后才開放,參閱:SSH Key Audit。
這次 GitHub 除了修正問題、audit key 以外,另外還
提出了新的機制讓用戶更容易發現異常存取行為,包括:
- 新增 SSH public key 時要輸入密碼。
- 新增 SSH public key 成功后會寄信通知。
- 新增Security History頁面可以看到帳戶的安全狀況。
另外說明, 如何 audit key,也就是要如何取得你的 public key fingerprint:
- ssh-keygen -lf .ssh/id_rsa.pub(如果你是用 RSA)
- ssh-keygen -lf .ssh/id_dsa.pub(如果你是用 DSA)
附上原始信件:
引用
A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.
While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.
# Required Action
Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.
Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.
# Status
We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:
- We are forcing an audit of all existing SSH keys
- Adding a new SSH key will now prompt for your password
- We will now email you any time a new SSH key is added to your account
- You now have access to a log of account changes in your Account Settings page
Sincerely, The GitHub Team
— https://github.com support@github.com
來自: Gea-Suan Lin's BLOG
While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.
# Required Action
Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.
Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.
# Status
We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:
- We are forcing an audit of all existing SSH keys
- Adding a new SSH key will now prompt for your password
- We will now email you any time a new SSH key is added to your account
- You now have access to a log of account changes in your Account Settings page
Sincerely, The GitHub Team
— https://github.com support@github.com
來自: Gea-Suan Lin's BLOG
本文由用戶 openkk 自行上傳分享,僅供網友學習交流。所有權歸原作者,若您的權利被侵害,請聯系管理員。
轉載本站原創文章,請注明出處,并保留原始鏈接、圖片水印。
本站是一個以用戶分享為主的開源技術平臺,歡迎各類分享!