├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE.md ├── README.md └── ssh-key-algo /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | +++ 2 | version = "1.4" 3 | aliases = ["/version/1/4"] 4 | +++ 5 | 6 | # Contributor Covenant Code of Conduct 7 | 8 | ## Our Pledge 9 | 10 | In the interest of fostering an open and welcoming environment, we as 11 | contributors and maintainers pledge to make participation in our project and 12 | our community a harassment-free experience for everyone, regardless of age, body 13 | size, disability, ethnicity, sex characteristics, gender identity and expression, 14 | level of experience, education, socio-economic status, nationality, personal 15 | appearance, race, religion, or sexual identity and orientation. 16 | 17 | ## Our Standards 18 | 19 | Examples of behavior that contributes to creating a positive environment 20 | include: 21 | 22 | * Using welcoming and inclusive language 23 | * Being respectful of differing viewpoints and experiences 24 | * Gracefully accepting constructive criticism 25 | * Focusing on what is best for the community 26 | * Showing empathy towards other community members 27 | 28 | Examples of unacceptable behavior by participants include: 29 | 30 | * The use of sexualized language or imagery and unwelcome sexual attention or 31 | advances 32 | * Trolling, insulting/derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or electronic 35 | address, without explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Our Responsibilities 40 | 41 | Project maintainers are responsible for clarifying the standards of acceptable 42 | behavior and are expected to take appropriate and fair corrective action in 43 | response to any instances of unacceptable behavior. 44 | 45 | Project maintainers have the right and responsibility to remove, edit, or 46 | reject comments, commits, code, wiki edits, issues, and other contributions 47 | that are not aligned to this Code of Conduct, or to ban temporarily or 48 | permanently any contributor for other behaviors that they deem inappropriate, 49 | threatening, offensive, or harmful. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all project spaces, and it also applies when 54 | an individual is representing the project or its community in public spaces. 55 | Examples of representing a project or community include using an official 56 | project e-mail address, posting via an official social media account, or acting 57 | as an appointed representative at an online or offline event. Representation of 58 | a project may be further defined and clarified by project maintainers. 59 | 60 | ## Enforcement 61 | 62 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 63 | reported by contacting the project team at opensource@github.com. All 64 | complaints will be reviewed and investigated and will result in a response that 65 | is deemed necessary and appropriate to the circumstances. The project team is 66 | obligated to maintain confidentiality with regard to the reporter of an incident. 67 | Further details of specific enforcement policies may be posted separately. 68 | 69 | Project maintainers who do not follow or enforce the Code of Conduct in good 70 | faith may face temporary or permanent repercussions as determined by other 71 | members of the project's leadership. 72 | 73 | ## Attribution 74 | 75 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 76 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 77 | 78 | [homepage]: https://www.contributor-covenant.org 79 | 80 | For answers to common questions about this code of conduct, see 81 | https://www.contributor-covenant.org/faq 82 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing 2 | 3 | [fork]: https://github.com/github/ssh-key-algo/fork 4 | [pr]: https://github.com/github/ssh-key-algo/compare 5 | [code-of-conduct]: CODE_OF_CONDUCT.md 6 | 7 | Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great. 8 | 9 | Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE.md). 10 | 11 | Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms. 12 | 13 | ## Submitting a pull request 14 | 15 | 0. [Fork][fork] and clone the repository 16 | 0. Create a new branch: `git checkout -b my-branch-name` 17 | 0. Make your change 18 | 0. Push to your fork and [submit a pull request][pr] 19 | 0. Pat your self on the back and wait for your pull request to be reviewed and merged. 20 | 21 | Here are a few things you can do that will increase the likelihood of your pull request being accepted: 22 | 23 | - Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests. 24 | - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). 25 | 26 | ## Resources 27 | 28 | - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/) 29 | - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/) 30 | - [GitHub Help](https://help.github.com) 31 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 GitHub 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ssh-key-algo 2 | 3 | A script to check if the SSH key is using an algorithm that will continue working after GitHub deprecates some insecure algorithms. For more information see the blog post at https://github.blog/2021-09-01-improving-git-protocol-security-github/. 4 | 5 | This script was tested on MacOS, Debian stretch or higher and CentOS 6 or higher. 6 | 7 | ## License 8 | 9 | MIT (c) GitHub 2021 10 | 11 | See the full license text in the [LICENSE](LICENSE.md) file. 12 | -------------------------------------------------------------------------------- /ssh-key-algo: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Run this script as "ssh-key-algo git@github.com". You can also specify a 4 | # different location if you'd like to run this against an GitHub Enterprise 5 | # Server instance. 6 | 7 | usage () { 8 | echo "usage: ssh-key-algo [-i identity_file] [@]" 9 | echo 10 | echo " Check the algorithm your ssh key for accessing a given host is" 11 | echo " using and make sure it's still going to be usable when insecure" 12 | echo " algorithms are being deprecated" 13 | echo 14 | echo " Will check against git@github.com by default. Specify a" 15 | echo " different location if you'd like to run this against an GitHub" 16 | echo " Enterprise Server instance." 17 | } 18 | 19 | DIR=$(mktemp -d -t tmp.XXXXXXX) 20 | trap 'rm -fr "$DIR"' EXIT 21 | 22 | if [ "$1" = "-i" ] 23 | then 24 | if [ "$#" -ge 2 ] 25 | then 26 | identity="$2" 27 | shift 2 28 | else 29 | usage 30 | exit 1 31 | fi 32 | fi 33 | 34 | host=${1:-"git@github.com"} 35 | if [ "$#" -gt 1 ] 36 | then 37 | usage 38 | exit 1 39 | fi 40 | if [ "$1" = "--help" ] || [ "$1" = "-h" ] 41 | then 42 | usage 43 | exit 0 44 | fi 45 | 46 | echo "using: $(command -v ssh)" 47 | 48 | # Disable connection reuse because we can't parse the output if that happens. 49 | ssh -vvv -oControlMaster=no -oControlPath=no ${identity:+-i "$identity"} "$host" >"$DIR/output" 2>&1 50 | 51 | # Turn the OpenSSH version into one without dots. For example, 7.2 becomes 72, 52 | # and 8.4 becomes 84. 53 | # We only want the first result, this in case there is for instance a ProxyJumps configured. 54 | VERSION=$(sed -n -e 's/^OpenSSH_\([0-9]*\)\.\([0-9]\).*/\1\2/p' <"$DIR/output" | head -n 1) 55 | if [ -z "$VERSION" ]; 56 | then 57 | echo "OpenSSH is not installed, can't determine key type." 58 | exit 5 59 | fi 60 | 61 | grep -E "sign_and_send_pubkey|Server accepts key" "$DIR/output" >"$DIR/processed" 62 | # This should be an algorithm like "rsa-sha2-512" or "ssh-ed25519". 63 | ALGO=$(sed -n -e 's/^.*signing using \([a-z0-9-]*\).*/\1/p' <"$DIR/processed") 64 | [ -z "$ALGO" ] && ALGO=$(sed -n -e 's/^.*Server accepts key: pkalg \([a-z0-9-]*\) blen.*/\1/p' <"$DIR/processed") 65 | # This will be something like "RSA" or "ECDSA". 66 | KEYTYPE=$(sed -n -e 's/^.*sign_and_send_pubkey: \([A-Za-z0-9]*\) .*:.*/\1/p' <"$DIR/processed") 67 | DENIED=$(grep "Permission denied (publickey)." "$DIR/output") 68 | 69 | if [ -z "$ALGO" ] && [ -n "$KEYTYPE" ] 70 | then 71 | case "$KEYTYPE" in 72 | RSA) 73 | ALGO="ssh-rsa" 74 | ;; 75 | DSA|DSS) 76 | ALGO="ssh-dss" 77 | ;; 78 | ECDSA) 79 | # We don't know what type it is, but it's okay for us. 80 | ALGO="ecdsa" 81 | ;; 82 | Ed25519|ED25519) 83 | ALGO="ssh-ed25519" 84 | ;; 85 | esac 86 | fi 87 | 88 | if [ "$VERSION" -ge 65 ] 89 | then 90 | # 6.5 was the first version to support Ed25519 keys. 91 | KEYGEN="ssh-keygen -t ed25519" 92 | elif [ "$VERSION" -ge 57 ] 93 | then 94 | # 5.7 was the first version to support ECDSA keys. 95 | KEYGEN="ssh-keygen -t ecdsa" 96 | else 97 | # This is an old version that doesn't offer any secure algorithms. The OS 98 | # probably is not receiving security updates, either. 99 | : 100 | fi 101 | 102 | if [ -n "$ALGO" ] 103 | then 104 | case "$ALGO" in 105 | rsa-sha2-256|rsa-sha2-512) 106 | printf "You're using an RSA key with SHA-2 (algorithm %s). You're all set!\n" "$ALGO" 107 | ;; 108 | ssh-rsa) 109 | printf "You're using an RSA key with SHA-1.\n" 110 | if [ -n "$KEYGEN" ] 111 | then 112 | cat <