Weak SSH keys opened many GitHub repositories to compromise

Github repositories of many entities, projects, and even one government could have been compromised and used to deliver malicious code due to the owners’ use of easily crackable SSH keys.

“A little known feature of GitHub is the ability to look at the public SSH keys that other users have set to be authorised on their account,” software developer Ben Cartwright-Cox explains in a recent blog post detailing this finding.

“This is a great debugging feature and in addition a great way to share SSH public keys. However one of the other side effects of this is that it means that everyone can see your public keys, and if someone cares enough, collect a massive database of everyone’s SSH keys.”

Cartwright-Cox did just that: he collected nearly 1.4 million keys, and started analyzing them. He found some that were trivially crackable (contained an insufficient number of bits), including a number of keys that were created by using a flawed random number generator originally contained in Debian, which for a few years returned one of 32,767 keys.

The flaw was found and fixed in 2008, but for nearly two years, weak cryptographic keys were generated by using the aforementioned RNG. Once the flaw was made public, users should have updated their OS, revoked the old keys and generated new one, but obviously many haven’t.

Among the repositories using the weak keys were Spotify’s and Yandex’ public ones, as well as those of the UK government. Django’s repo was also affected, as were those for Python’s core and crypto libraries to Python.

When Cartwright-Cox contacted GitHub about this matter in March, he discovered there are many other repos that used they weak keys. In early May GitHub revoked the Debian-created weak keys and sent out emails to repo admins to create new ones. A month later, they did the same with accounts using other weak and low quality keys.

“If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time,” Cartwright-Cox noted.

“The most scary part of this is that anyone could have just looped through all of these keys just trying to SSH into GitHub to see the banner it gives you. It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker.”