Forked from robbat2/block-compromised-github-key.sh
Last active
April 2, 2023 16:49
-
-
Save e12e/0c1868479c0b8d0a52914d44be66d769 to your computer and use it in GitHub Desktop.
Mark compromised GitHub.com key as revoked
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # For eg MacOs with ssh*.d-style config: | |
| # Update ssh_config (client config, not server config) | |
| echo "RevokedHostKeys /etc/ssh/ssh_revoked_host_keys" | sudo tee /etc/ssh/ssh_config.d/revoked_host_keys.conf | |
| # Create revocation file as ssh binary file. If file isn't readable *all* keys are considered invalid! | |
| test -s /etc/ssh/ssh_revoked_host_keys || sudo ssh-keygen -k -f /etc/ssh/ssh_revoked_host_keys | |
| # Revoke old github key based on full key or id: | |
| cat <<EOF | sudo ssh-keygen -k -u -f /etc/ssh/ssh_revoked_host_keys - | |
| ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== | |
| EOF | |
| # If we try to test, we realize that github obviously isn't using their old key anymore: | |
| cat <<'EOF' | |
| ssh -oHostKeyAlgorithms='ssh-rsa' -oFingerprintHash=md5 [email protected] whoami | |
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | |
| @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ | |
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | |
| IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | |
| Someone could be eavesdropping on you right now (man-in-the-middle attack)! | |
| It is also possible that a host key has just been changed. | |
| The fingerprint for the RSA key sent by the remote host is | |
| MD5:d5:2c:63:d9:bc:75:9d:de:b1:4e:36:28:9f:7a:9c:39. | |
| Please contact your system administrator. | |
| Add correct host key in /Users/e12e/.ssh/known_hosts to get rid of this message. | |
| Offending RSA key in /Users/e12e/.ssh/known_hosts:66 | |
| Host key for github.com has changed and you have requested strict checking. | |
| Host key verification failed. | |
| EOF | |
| # Remove old trusted key: | |
| ssh-keygen -R github.com | |
| # Test again, and accept new key - get the fingerprint as sha256: | |
| ssh -oHostKeyAlgorithms='ssh-rsa' -oFingerprintHash=sha256 [email protected] whoami | |
| cat <<'EOF' | |
| The authenticity of host 'github.com (140.82.121.3)' can't be established. | |
| RSA key fingerprint is SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s. | |
| This key is not known by any other names | |
| Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
| Warning: Permanently added 'github.com' (RSA) to the list of known hosts. | |
| Invalid command: 'whoami' | |
| You appear to be using ssh to clone a git:// URL. | |
| Make sure your core.gitProxy config option and the | |
| GIT_PROXY_COMMAND environment variable are NOT set. | |
| EOF | |
| # Revoke *new* github key (via hash NB: only sha256 works - otherwise use | |
| # public key like above) verify that revocation works: | |
| echo 'hash: SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s' | sudo ssh-keygen -k -u -f /etc/ssh/ssh_revoked_host_keys - | |
| # It works: | |
| ssh -oHostKeyAlgorithms='ssh-rsa' -oFingerprintHash=sha256 [email protected] whoami | |
| # Outputs: | |
| # Host key RSA SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s revoked by file /etc/ssh/ssh_revoked_host_keys | |
| # Host key verification failed. | |
| # List KRL file: | |
| ssh-keygen -Q -l -f /etc/ssh/ssh_revoked_host_keys | |
| cat <<'EOF' | |
| # KRL version 0 | |
| # Generated at 20230324T121459 | |
| hash: SHA256:SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 # ssh-rsa | |
| hash: SHA256:b8d895ced92c0ac0e171cd2ef5ef01ba3417554a4a6480d331ccc2be3ded0f6b | |
| EOF | |
| # Write new KRL with only the old key in it (AFAIK there's no easy way to | |
| # reomve a hash key from binary KRL) - NB without "-u" KRL is overwritten!: | |
| cat <<EOF | sudo ssh-keygen -k -f /etc/ssh/ssh_revoked_host_keys - | |
| ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== | |
| EOF | |
| # Verify new KRL: | |
| ssh-keygen -Q -l -f /etc/ssh/ssh_revoked_host_keys | |
| cat <<'EOF' | |
| # KRL version 0 | |
| # Generated at 20230324T125637 | |
| hash: SHA256:SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 # ssh-rsa | |
| EOF | |
| # Verify that we can access github (note, with standard options ed25519 is prefered): | |
| ssh -v [email protected] whoami 2>&1 | grep "Server host key" 2>&1 | |
| # Output: | |
| # debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU | |
| # References: | |
| # | |
| # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ | |
| # https://docs.rundeck.com/docs/learning/howto/revoke-ssh-keys.html | |
| # https://manpages.ubuntu.com/manpages/xenial/man1/ssh-keygen.1.html#key%20revocation%20lists |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ok actually, this is what happened:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/