Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save e12e/0c1868479c0b8d0a52914d44be66d769 to your computer and use it in GitHub Desktop.
Save e12e/0c1868479c0b8d0a52914d44be66d769 to your computer and use it in GitHub Desktop.
Mark compromised GitHub.com key as revoked
#!/bin/bash
# For eg MacOs with ssh*.d-style config:
# Update ssh_config (client config, not server config)
echo "RevokedHostKeys /etc/ssh/ssh_revoked_host_keys" | sudo tee /etc/ssh/ssh_config.d/revoked_host_keys.conf
# Create revocation file as ssh binary file. If file isn't readable *all* keys are considered invalid!
test -s /etc/ssh/ssh_revoked_host_keys || sudo ssh-keygen -k -f /etc/ssh/ssh_revoked_host_keys
# Revoke old github key based on full key or id:
cat <<EOF | sudo ssh-keygen -k -u -f /etc/ssh/ssh_revoked_host_keys -
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
# If we try to test, we realize that github obviously isn't using their old key anymore:
cat <<'EOF'
ssh -oHostKeyAlgorithms='ssh-rsa' -oFingerprintHash=md5 [email protected] whoami
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
MD5:d5:2c:63:d9:bc:75:9d:de:b1:4e:36:28:9f:7a:9c:39.
Please contact your system administrator.
Add correct host key in /Users/e12e/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/e12e/.ssh/known_hosts:66
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.
EOF
# Remove old trusted key:
ssh-keygen -R github.com
# Test again, and accept new key - get the fingerprint as sha256:
ssh -oHostKeyAlgorithms='ssh-rsa' -oFingerprintHash=sha256 [email protected] whoami
cat <<'EOF'
The authenticity of host 'github.com (140.82.121.3)' can't be established.
RSA key fingerprint is SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com' (RSA) to the list of known hosts.
Invalid command: 'whoami'
You appear to be using ssh to clone a git:// URL.
Make sure your core.gitProxy config option and the
GIT_PROXY_COMMAND environment variable are NOT set.
EOF
# Revoke *new* github key (via hash NB: only sha256 works - otherwise use
# public key like above) verify that revocation works:
echo 'hash: SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s' | sudo ssh-keygen -k -u -f /etc/ssh/ssh_revoked_host_keys -
# It works:
ssh -oHostKeyAlgorithms='ssh-rsa' -oFingerprintHash=sha256 [email protected] whoami
# Outputs:
# Host key RSA SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s revoked by file /etc/ssh/ssh_revoked_host_keys
# Host key verification failed.
# List KRL file:
ssh-keygen -Q -l -f /etc/ssh/ssh_revoked_host_keys
cat <<'EOF'
# KRL version 0
# Generated at 20230324T121459
hash: SHA256:SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 # ssh-rsa
hash: SHA256:b8d895ced92c0ac0e171cd2ef5ef01ba3417554a4a6480d331ccc2be3ded0f6b
EOF
# Write new KRL with only the old key in it (AFAIK there's no easy way to
# reomve a hash key from binary KRL) - NB without "-u" KRL is overwritten!:
cat <<EOF | sudo ssh-keygen -k -f /etc/ssh/ssh_revoked_host_keys -
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
# Verify new KRL:
ssh-keygen -Q -l -f /etc/ssh/ssh_revoked_host_keys
cat <<'EOF'
# KRL version 0
# Generated at 20230324T125637
hash: SHA256:SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 # ssh-rsa
EOF
# Verify that we can access github (note, with standard options ed25519 is prefered):
ssh -v [email protected] whoami 2>&1 | grep "Server host key" 2>&1
# Output:
# debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
# References:
#
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
# https://docs.rundeck.com/docs/learning/howto/revoke-ssh-keys.html
# https://manpages.ubuntu.com/manpages/xenial/man1/ssh-keygen.1.html#key%20revocation%20lists
@2energycell
Copy link

hi! I have also encountered the REMOTE HOST IDENTIFICATION HAS CHANGED;
I assume it happened globally for github.com, correct? thx

@2energycell
Copy link

ok actually, this is what happened: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment