GitHub revoked weak SSH authentication keys generated using a library that incorrectly created duplicate RSA key pairs.
GitHub allows you to authenticate to their service without a username and password using the SSH protocol. To do this, users would generate an SSH key pair and add the public key to the SSH key setting of their accounts.
Once the key is added to your account, you can use it with a Git client to automatically log into GitHub without entering a username and password.
GitHub revokes weak SSH keys
Today, in a coordinated disclosure between GitHub and Axosoft, LLC., The creators of the popular GitKraken Git client, GitHub said it revoked weak SSH keys generated by the “keypair” library used by the software.
“An underlying problem with an addiction, called
keypair, resulted in weak SSH keys being generated by the GitKraken client. This issue affected versions 7.6.x, 7.7.x and 8.0.0 of the GitKraken client, and you can read the disclosure from GitKraken on their blog, ”GitHub revealed today in a new security advisory.
A bug in the library’s pseudo-random number generator allowed the generation of duplicate RSA keys, allowing users to access other secure GitHub accounts with the same SSH key.
“A bug in the pseudo-random number generator used by key pair versions up to and including 1.0.3 could allow weak RSA key generation. This could allow an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend that you replace any RSA keys that were generated using version 1.0.3 or earlier of the key pair, ”says the key pair notice.
The bug was discovered by Axosoft engineer Dan Suceava, “who noticed that the key pair regularly generated duplicate RSA keys.”
To protect their users, GitHub revoked all keys generated by GitKraken at 5:00 p.m. UTC or 1:00 p.m. EST.
GitHub has also revoked other potentially weak keys created by other customers using the same key pair library.
Users whose keys have been revoked are notified by GitHub and recommended to review their SSH keys and replace them if the vulnerable library generated them.
Axosoft recommends that users of their software generate new SSH keys using GitKraken 8.0.1, or later, for each Git service provider.
- Microsoft revokes insecure SSH keys for Azure DevOps customers
- Cisco fixes critical authentication bypass bug with public exploit
- A nasty macOS bug could give hackers the keys to the kingdom
- Microsoft to turn off Basic authentication in Exchange Online in October 2022
- Microsoft is investigating Outlook issues with security keys, researching