GitHub Revokes Duplicate SSH Authentication Keys
The Weak SSH Authentication Keys Were Generated Using a Library that Incorrectly Created Duplicate RSA Keypairs.
The SSH protocol used by GitHub allows you to log in without a user name or password. To do this, users would need to establish an SSH keypair and add the public key to their accounts’ SSH key settings.
You may use the key with a Git client to automatically log in to GitHub without having to enter in your username and password once you’ve added it to your account.
SSH Keys Revoked by GitHub
GitHub and Axosoft, LLC, the developers of the popular GitKraken Git client, confirmed today that they have revoked weak SSH keys generated by the software’s keypair package.
On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog.
Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on GitHub.com, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future.
Duplicate RSA keys were produced due to a vulnerability in the library’s pseudo-random number generator, allowing users to access other GitHub accounts secured with the same SSH key.
A bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.
Dan Suceava of Axosoft found the flaw after “noticing that keypair was routinely producing duplicate RSA keys.”
Other possibly weak keys produced by other clients using the same keypair library were also canceled by GitHub.
To protect its users, GitHub revoked all keys generated by GitKraken at 17:00 UTC/1 PM EST.
GitHub also revoked other potentially weak keys generated by other clients using the same keypair library.
Users whose keys have been revoked are notified by GitHub and are advised to review their SSH keys and replace them if they were generated using the vulnerable library.
Axosoft recommends that users of their product utilize GitKraken 8.0.1 or later to generate new SSH keys for each Git service provider.