Skip to content

Instantly share code, notes, and snippets.

@watsonian

watsonian/gist:be30e33ea9b5182dac79 Secret

Created March 15, 2012 17:58
Show Gist options
  • Save watsonian/be30e33ea9b5182dac79 to your computer and use it in GitHub Desktop.
Save watsonian/be30e33ea9b5182dac79 to your computer and use it in GitHub Desktop.
Download ZIP
Enterprise SSH Key Audit Feature
Raw
gistfile1.md

SSH Key Auditing

As a followup to the vulnerability fix that was included in our 11.10.240 release, we're now including the SSH Key Auditing that was recently performed on GitHub.com.

We've modified this for Enterprise in two ways. First, any Admin user is able to initiate an installation-wide SSH key audit. This will allow you to perform SSH key audits whenever deemed necessary. Second, the key audit is not initiated automatically -- it must first be initiated by an admin user. Once initiated it will disable all existing SSH keys that have been added and force users to approve or reject them before they're able to clone/pull/push to any repositories.

Initiating an Audit

An SSH Key Audit can be initiated through the User tab of the Admin Tools dashboard:

After clicking that button, you'll be taken to a confirmation screen explaining what will happen:

After clicking the Start Public Key Audit button, all SSH keys will be invalidated and require approval. You'll see a notification indicating that the audit has begun:

What Users Will See

If a user attempts to perform any git operation over SSH, it will fail and provide them with the following message:

ERROR: Hi [username]. We're doing an SSH key audit.
Please visit http(s)://[hostname]/settings/ssh/audit/2
to approve this key so we know it's safe.
Fingerprint: ed:21:60:64:c0:dc:2b:16:0f:54:5f:2b:35:2a:94:91
fatal: The remote end hung up unexpectedly

When they follow the displayed link, they'll be asked to approve the keys that are on their account:

After approving or rejecting their keys, they'll be able to continue interacting with repositories as usual.

Other SSH Key-related Improvements

Now users will be prompted for their password when adding an SSH key:

When a key is added, they'll also receive a notification email now that will look something like this:

The following SSH key was added to your account:

[title]
ed:21:60:64:c0:dc:2b:16:0f:54:5f:2b:35:2a:94:91

If you believe this key was added in error, you can remove the key and disable
access at the following location:

http(s)://[hostname]/settings/ssh

Questions

If you have any questions about this process, please feel free to email support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment