search

dolmen / github-keygen

Easy creation of secure SSH configuration for your GitHub account(s)
GNU General Public License v3.0
245 stars 25 forks source link

Add information about GitHub SSH RSA revocation #51

Open dolmen opened 1 year ago

dolmen commented 1 year ago

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Users of github-keygen before v1.306 ARE affected by this issue. Users can check with this command:

$ cat ~/.ssh/known_hosts_github

Users of github-keygen v1.306 (published on June 6th 2022) are not affected as github-keygen has switched to the ed-25519 key in ~/.ssh/known_hosts_github. This is what you should get:

$ cat ~/.ssh/known_hosts_github
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
gist.github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
[ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl

I had switched to ed-25519 in 387b64445b0587789dd9e7e7cf6dfaefbc39eb36 (v1.306).

To fix the issue:

$ curl --silent https://raw.githubusercontent.com/dolmen/github-keygen/release/github-keygen | perl

Note that the use of curl for the upgrade is on purpose: if the user had a old copy of github-keygen made with git clone and the remote is configured using SSH, a git remote update && git rebase would not work because of the revoked SSH key. So, in this case, I consider that curl over https is safer as long as your curl version is recent and your local repository of TLS certificates is up to date.