GitHub 要求全面检查 SSH Key

openkk 12年前
     在    <a href="/misc/goto?guid=4958332038506391374" target="_blank">GitHub 由于 Rails 漏洞被攻击</a>后,官方除了把漏洞修补完以外,接下来做了更积极的措施:    <strong>暂停所有的 SSH key 存取权限,一律等到用户 audit 确认过后才开放,参阅:<a href="/misc/goto?guid=4958332039345957156" target="_blank">SSH Key Audit</a>。</strong>    <br />    <br /> 这次 GitHub 除了修正问题、audit key 以外,另外还    <strong>提出了新的机制让用户更容易发现异常存取行为,包括:</strong>    <br />    <br />    <ul>     <li>新增 SSH public key 时要输入密码。</li>     <li>新增 SSH public key 成功后会寄信通知。</li>     <li>新增Security History页面可以看到帐户的安全状况。</li>    </ul> 这算是很积极补救措施。    <br />    <br /> 另外说明,    <strong>如何 audit key,也就是要如何取得你的 public key fingerprint:</strong>    <br />    <br />    <ul>     <li>ssh-keygen -lf .ssh/id_rsa.pub(如果你是用 RSA)</li>     <li>ssh-keygen -lf .ssh/id_dsa.pub(如果你是用 DSA)</li>    </ul> 出现的信息就是你要比对的值。记住!既然是 audit,请一个一个比对确认 fingerprint 全部都正确。    <br />    <br /> 附上原始信件:    <br />    <br />    <div class="quote_title">     引用    </div>    <div class="quote_div">     A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.     <br /> While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.     <br /> # Required Action     <br /> Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.     <br /> Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.     <br /> # Status     <br /> We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:     <br /> - We are forcing an audit of all existing SSH keys     <br /> - Adding a new SSH key will now prompt for your password     <br /> - We will now email you any time a new SSH key is added to your account     <br /> - You now have access to a log of account changes in your Account Settings page     <br /> Sincerely, The GitHub Team     <br /> — https://github.com support@github.com     <br />     <br /> 来自:     <a href="/misc/goto?guid=4958332040146654179">Gea-Suan Lin's BLOG</a>    </div>