A while ago, when learning about the existence of ECDSA-SK keys, I have created such a key and added it to my github account.
Now I am trying to remove it, but it simply does not show up in the list of keys. The list only shows my "regular" SSH key, but not the SK key.
However, the SK key works just fine. I can push/pull with it (even to/from private repos), and when trying to authenticate with it it shows as connected to my github account:
$ ssh -T -ai ~/.ssh/id_rsa.sk git#github.com
Hi bogd! You've successfully authenticated, but GitHub does not provide shell access.
Also, if I try to add it to my account, github tells me "the key is already in use".
So my question is - where do I need to go to remove this key??
From GitHub announcement in May 2021, this is what you should see:
If no "skey" entry is listed:
check if it would be listed when you have your YubiKey in place
check if you can list that key through GitHub API (you would need a token with read:public_key scope)
contact GitHub support to investigate.
The OP Bogd reports in the comments the SK (Security Key) was listed as a Deploy Key
The "-i" argument to SSH only adds the specified key to the list of keys the client will try.
Since I normally always have my RSA key loaded in the agent, it is likely that key was tried first, and that was why the command output did not list the repository.
The command should have been:
ssh -v -o "IdentitiesOnly=yes" -i ~/.ssh/id_rsa.sk git#github.com'
Related
In the myhome/.ssh/ directory are local SSH keys for my personal GitHub account, the directory has the id_rsa and id_rsa.pub files that allow me to authenticate with GitHub.
I am setting up a server (compute engine on GCP), and this server needs these keys because it needs to authenticate to my GitHub to pull a repo. Should I either:
transfer over / SCP the currently-existing id_rsa, `id_rsa.pub that I have locally onto the server, and use those on the server.
create a brand new SSH key from on the server, and use this key. Add it to my GitHub profile.
it doesn't matter, either (1) or (2) is fine.
or something else?
(2) seems like the right approach, but we are not certain.
Indeed option 2. As a best practice, you should not share the same private key.
Go ahead and generate a new SSH key following the docs: https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh
Git supports signing commits using GPG, and GitHub shows these commits as being ‘Verified’. When you click the Verified tag, you'll see something like:
This commit was signed with a verified signature.
my username
My name
GPG key ID: F66DEF7BA82E8647
When you merge a pull request or, presumably, when you make a commit from within the web interface, it also shows as Verified, but with a different message:
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23
When I run git log --show-signature, it will show commits that I've signed locally, like this:
gpg: Signature made 01/25/18 11:52:25 W. Europe Standard Time^M
gpg: using RSA key 3FA85DEE7B64EB7EC8F97F41F66DEF7BA82E8647^M
gpg: Good signature from "Dude" <somebody#email.com>" [ultimate]^M
So far, so good. However, when I encounter a merged pull request, I'll get the following:
gpg: Signature made 01/25/18 09:07:45 W. Europe Standard Time^M
gpg: using RSA key 4AEE18F83AFDEB23^M
gpg: Can't check signature: No public key^M
Obviously this is because I haven't added the public key to my list of GPG keys. The question is: where can I find this key? Is it listed somewhere?
edit: Obviously I've tried Googling this, and even asked a question on GitHub's community forums, but it's not getting answered.
By the nature of GPG, you want to be sure about which keys you are importing, and which you sign. You can find GitHub's web flow GPG public key here:
https://github.com/web-flow.gpg
If you want to import the public key, you can do so with the following command:
curl https://github.com/web-flow.gpg | gpg --import
As a user of GPG, you should evaluate the your level of trust of the source of this key. If you decide that it does indeed belong to GitHub, you can sign it and optionally publish your signature to a key server, essentially publicly acknowledging that you believe the key belongs to who it is supposed to belong to.
GitHub has documentation on how to locate existing keys, create new keys, adding them to git, GitHub, etc. You can find that here and I think it would answer any questions you have here.
From: https://help.github.com/articles/about-gpg/
GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg
I need to access (clone) a private repository on GitHub that belongs to a developer whom I am unable to communicate with. I have been provided with both a public and a private key (I'm guessing they might be deploy keys for the specific repository?)
After running the following terminal command:
git clone git#github.com:theirusername/reponame.git
I receive the following error:
Cloning into 'reponame'...
ERROR: Repository not found.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The developer also included the following notes in a README with the keys:
Developer notes (replaced sensitive info with 'x's)
===============
"This SSH public/private keypair allows full access to the server.
DO NOT GIVE THESE FILES TO ANYONE THAT YOU DON'T WANT ACCESSING YOUR ENTIRE SERVER AND ASSOCIATED SERVICES.
- The SSH port is XXXXX.
- There is no passphrase on the keys.
- The keys allow access to two users: `xxx` (standard privs) and `xxx` (for sudo and su-ing to root)
- These keys also allow access to the GitHub repository: github.com/theirusername/reponame.git"
I have already tried adding the public key to my Github account (under settings --> SSH and GPG keys). This did not seem to help the issue.
I'm sure there is something fundamental I'm not grasping here. Do I need BOTH the public and private keys to access the repo? If so, where do I have to register each of them? Any help would be greatly appreciated.
You need to store the public and private key in your HOME (~/.ssh)
You can then test the connection with ssh -T git#github.com: if those keys are from another developer, it should display a welcome message with the other developer name (since the public key should be registered under his/her GitHub account)
If you have multiple keys, you will need an ~/.ssh/config file, as I describe here.
I set up SSH login for github using the following instructions, and although it works, I can't figure out why it works: https://help.github.com/articles/generating-ssh-keys/
My understanding of SSH is as follows: client creates a key pair, client gives public key to server, and when client wants to log in, he encrypts a message of server's choice using his private key to prove that he is really the client.
Now: I upload my public key XXX to Github. When I do "ssh -T git#github.com", Github has to know I am trying to log in as me, so that he can decrypt my message using XXX, right? So ssh has to send that information...but how does ssh know anything about Github, or what my username is? And what if I have multiple key pairs - which key would ssh use?
When you add your SSH public key to your GitHub account, you associate that key with your GitHub account.
By default, the command ssh -T git#github.com searches for id_dsa and id_rsa files. To confirm this, try ssh -T git#github.com -v.
If you have keys associated to different github accounts, you would have to specify with -i to use different accounts. ssh -T git#github.com -i /path/to/mykey
In short:
SSH client send public key to server
Server finds your name according to public key (unique), but needs to verify that you have also the private key, therefore he sends you a some message
Your client signs that message using your private key
Server verifies the signature and if it is valid, you are allowed access
This is based on public key cryptography, specially digital signature technique (google for more details).
In a shared-account scenario, authentication/authorization is handled by the application.
I'm not sure Github is using it, but one solution for non-shell account authorization is Gitosis, and it used for precisely the purpose you describe. There are separate key pairs for each user. This much is similar to how Github does things.
The basic notion of how Gitosis works (deferring the authentication and authorization to gitosis) is explained on the app readme page, but the mechanics may require a review of the source code. Based on a cursory examination, it looks like the mechanics of this method are mostly via git hooks on the server.
In GitHub I am supposed to go to Account Setting, then click on SSH keys, and there I should have some way to add an SSH Key. The instructions at http://help.github.com/win-set-up-git/ say: "click "Add SSH Key". But that link does not exist. Instead I get the following:
On Sunday March 4, 2012 a security vulnerability related to SSH keys
(public keys) was discovered. For your protection and to prevent
unauthorized access we have disabled your public keys until you
approve them.
Need help verifying fingerprints?
along with Accept and Reject buttons next to ssh keys I have uploaded but not verified since the exploit was found. I do not want to accept or reject any of these other ssh keys at this point. All I want is to add a new SSH Key. How do I do it?
Many thanks!
After accepting/rejecting all the existing ssh keys the link was visible again in my account.