2 Jun
2015
2 Jun
'15
3:19 p.m.
Someone ran an experiment looking at the SSH keys used on GitHub (public keys are accessible through the API):
https://blog.benjojo.co.uk/post/auditing-github-users-keys
Excerpt:
I remembered back to the May 2008 Debian OpenSSH bug, where
the randomness source was compromised to the point where the
system could only generate one of 32k keys in a set.
I used g0tmi1k’s set of keys to compare against what I had in
my database, and found a very large amount of users who are
still using vulnerable keys, and even worse, have commit
access to some really large and wide projects including:
...
Crypto libraries to Python
Django
Python’s core
...CPython is not officially on github, so committing evil stuff to the github mirror may not matter very much, but these users may have the same key configured for hg.python.org. Should we check everyone's SSH keys?
--amk