[python-committers] Weak SSH keys
A.M. Kuchling
amk at amk.ca
Tue Jun 2 17:19:07 CEST 2015
Someone ran an experiment looking at the SSH keys used on GitHub
(public keys are accessible through the API):
https://blog.benjojo.co.uk/post/auditing-github-users-keys
Excerpt:
I remembered back to the May 2008 Debian OpenSSH bug, where
the randomness source was compromised to the point where the
system could only generate one of 32k keys in a set.
I used g0tmi1k’s set of keys to compare against what I had in
my database, and found a very large amount of users who are
still using vulnerable keys, and even worse, have commit
access to some really large and wide projects including:
...
Crypto libraries to Python
Django
Python’s core
...
CPython is not officially on github, so committing evil stuff to the
github mirror may not matter very much, but these users may have the
same key configured for hg.python.org. Should we check everyone's SSH
keys?
--amk
More information about the python-committers
mailing list