[python-committers] Weak SSH keys
Benjamin Peterson
benjamin at python.org
Tue Jun 2 18:28:09 CEST 2015
On Tue, Jun 2, 2015, at 11:19, A.M. Kuchling wrote:
> Someone ran an experiment looking at the SSH keys used on GitHub
> (public keys are accessible through the API):
>
> https://blog.benjojo.co.uk/post/auditing-github-users-keys
>
> Excerpt:
>
> I remembered back to the May 2008 Debian OpenSSH bug, where
> the randomness source was compromised to the point where the
> system could only generate one of 32k keys in a set.
>
> I used g0tmi1k’s set of keys to compare against what I had in
> my database, and found a very large amount of users who are
> still using vulnerable keys, and even worse, have commit
> access to some really large and wide projects including:
>
> ...
> Crypto libraries to Python
> Django
> Python’s core
> ...
>
> CPython is not officially on github, so committing evil stuff to the
> github mirror may not matter very much, but these users may have the
> same key configured for hg.python.org. Should we check everyone's SSH
> keys?
I believe Martin checked everyone's keys when that vulnerability was
announced. He certainly emailed me anyway.
Not that it wouldn't hurt to do again.
Also, everyone should use ed25519 keys now. :)
More information about the python-committers
mailing list