GitHub has revoked weak SSH authentication keys generated by a library that improperly generates duplicated RSA keypairs.
GitHub’s SSH protocol allows you to log in to their service without a username or password. Users would create an SSH keypair and add the public key to their accounts’ SSH key settings to do this. After you’ve added the key to your account, you may use it with a Git client to automatically log in to GitHub without having to type in your username and password.
In a joint statement today, GitHub and Axosoft, LLC, the renowned GitKraken Git client producers, stated they had revoked weak SSH keys created by the software’s ‘keypair‘ library.
The GitKraken client generated weak SSH keys due to an underlying problem with a dependency “keypair:”
“An underlying issue with a dependency, called
keypair, resulted in the GitKraken client generating weak SSH keys. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog,” disclosed GitHub in a new security advisory today.
Due to a flaw in the library’s pseudo-random number generator, duplicate RSA keys were generated, allowing users to access other GitHub accounts secured with a specific SSH key.
A flaw in the pseudo-random number generator used by keypair versions before 1.0.3 may create weak RSA keys. An attacker may use this to decode private communications or get authorized access to the victim’s account.
“Any RSA keys created with keypair version 1.0.3 or before should be replaced,” according to the Keypair warning.
At 17:00 UTC/1 PM EST, GitHub revoked all keys produced by GitKraken to safeguard its users. Other possibly weak keys produced by other clients using the same keypair library were also canceled by GitHub.
GitHub notifies users whose keys have been revoked and advises them to review their SSH keys and replace them if generated by the vulnerable library.
Axosoft suggests that users of their software produce new SSH keys for each Git service provider using GitKraken 8.0.1 or later.