SSH Key Auditing
As a followup to the vulnerability fix that was included in our 11.10.240 release, we're now including the SSH Key Auditing that was recently performed on GitHub.com.
We've modified this for Enterprise in two ways. First, any Admin user is able to initiate an installation-wide SSH key audit. This will allow you to perform SSH key audits whenever deemed necessary. Second, the key audit is not initiated automatically -- it must first be initiated by an admin user. Once initiated it will disable all existing SSH keys that have been added and force users to approve or reject them before they're able to clone/pull/push to any repositories.
Initiating an Audit
An SSH Key Audit can be initiated through the User tab of the Admin Tools dashboard:
After clicking that button, you'll be taken to a confirmation screen explaining what will happen:
After clicking the Start Public Key Audit button, all SSH keys will be invalidated and require approval. You'll see a notification indicating that the audit has begun:
What Users Will See
If a user attempts to perform any git operation over SSH, it will fail and provide them with the following message:
ERROR: Hi [username]. We're doing an SSH key audit. Please visit http(s)://[hostname]/settings/ssh/audit/2 to approve this key so we know it's safe. Fingerprint: ed:21:60:64:c0:dc:2b:16:0f:54:5f:2b:35:2a:94:91 fatal: The remote end hung up unexpectedly
When they follow the displayed link, they'll be asked to approve the keys that are on their account:
After approving or rejecting their keys, they'll be able to continue interacting with repositories as usual.
Other SSH Key-related Improvements
Now users will be prompted for their password when adding an SSH key:
When a key is added, they'll also receive a notification email now that will look something like this:
The following SSH key was added to your account: [title] ed:21:60:64:c0:dc:2b:16:0f:54:5f:2b:35:2a:94:91 If you believe this key was added in error, you can remove the key and disable access at the following location: http(s)://[hostname]/settings/ssh
If you have any questions about this process, please feel free to email support.