Home » GitHub revokes duplicate SSH authentication keys related to library bug

GitHub revokes duplicate SSH authentication keys related to library bug


GitHub revoked weak SSH authentication keys generated using a library that incorrectly created duplicate RSA key pairs.

GitHub allows you to authenticate to their service without a username and password using the SSH protocol. To do this, users would generate an SSH key pair and add the public key to the SSH key setting of their accounts.

Add an SSH key to GitHub
Add an SSH key to GitHub

Once the key is added to your account, you can use it with a Git client to automatically log into GitHub without entering a username and password.

GitHub revokes weak SSH keys

Today, in a coordinated disclosure between GitHub and Axosoft, LLC., The creators of the popular GitKraken Git client, GitHub said it revoked weak SSH keys generated by the “keypair” library used by the software.

“An underlying problem with an addiction, called keypair, resulted in weak SSH keys being generated by the GitKraken client. This issue affected versions 7.6.x, 7.7.x and 8.0.0 of the GitKraken client, and you can read the disclosure from GitKraken on their blog, ”GitHub revealed today in a new security advisory.

Keypair is a JavaScript library that allows the programmatic generation of SSH keys.

A bug in the library’s pseudo-random number generator allowed the generation of duplicate RSA keys, allowing users to access other secure GitHub accounts with the same SSH key.

“A bug in the pseudo-random number generator used by key pair versions up to and including 1.0.3 could allow weak RSA key generation. This could allow an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend that you replace any RSA keys that were generated using version 1.0.3 or earlier of the key pair, ”says the key pair notice.

The bug was discovered by Axosoft engineer Dan Suceava, “who noticed that the key pair regularly generated duplicate RSA keys.”

To protect their users, GitHub revoked all keys generated by GitKraken at 5:00 p.m. UTC or 1:00 p.m. EST.

GitHub has also revoked other potentially weak keys created by other customers using the same key pair library.

Users whose keys have been revoked are notified by GitHub and recommended to review their SSH keys and replace them if the vulnerable library generated them.

Axosoft recommends that users of their software generate new SSH keys using GitKraken 8.0.1, or later, for each Git service provider.

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on Top - Get the daily news in your inbox

Trending this Week