AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Gitkraken ssh key9/16/2023 ![]() ![]() My repo is on so I go to that tab and find that Gk "is connected" but trying to brows for ssh keys to add ends up with the same permission denied error. Navigating to my ~/.ssh dir yields a permission denied message. By default Gk is pointing to an ssh dir under it's ~/snap/gitkraken/ dir. Un-checking it offers me the opportunity to brows for ssh keys. Under the General tab "use local ssh agent" is checked. I have tried setting gk's auth prefs: File -> Preferences -> Authentication. I can not change that as far as I know at this time.Īddressing questions below in more detail: It seems to prefer its own ssh dir in a snap config folder in my home dir. If I go to Gk's settings and try to force it to use my ssh keys in ~/.ssh I am told that Gk does not have permissions to read the dir. If, in the same terminal window, I start Gitkraken it still will not recognize that I have ssh keys loaded. If I start up a terminal window and start the openssh ssh-agent and then do an ssh-add of the keys in ~/.ssh I can then use command-line git just fine. First connect your account then click that green button to generate the key. I dig that Mint is using GNU keyring or some-such by default but Gitkracken seems to ignore it as the "default" ssh agent. snap run gitkraken from terminal and wait a bit then it will ask for your ssh key Passphrase type it hit enter. I have started trying to use Gitkraken on Linux Mint. ![]() Users whose keys have been revoked are notified by GitHub and are advised to review their SSH keys and replace them if they were generated using the vulnerable library.Īxosoft recommends that users of their product utilize GitKraken 8.0.1 or later to generate new SSH keys for each Git service provider.Gitkraken: 6.0.0 installed via snap. GitHub also revoked other potentially weak keys generated by other clients using the same keypair library. To protect its users, GitHub revoked all keys generated by GitKraken at 17:00 UTC/1 PM EST. In this case, the SSH server is the Git server and the SSH client is the Jira server. Other possibly weak keys produced by other clients using the same keypair library were also canceled by GitHub. (Example: idrsa.pub and idrsa) For establishing safety connection with SSH, upload a public key to the SSH server and set the private key to the SSH client. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.ĭan Suceava of Axosoft found the flaw after “noticing that keypair was routinely producing duplicate RSA keys.” This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future.Ī Keypair is a JavaScript tool that allows you to programmatically generate SSH keys.ĭuplicate RSA keys were produced due to a vulnerability in the library’s pseudo-random number generator, allowing users to access other GitHub accounts secured with the same SSH key.Ī bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. ![]() This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. ![]() On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. GitHub and Axosoft, LLC, the developers of the popular GitKraken Git client, confirmed today that they have revoked weak SSH keys generated by the software’s keypair package. You may use the key with a Git client to automatically log in to GitHub without having to enter in your username and password once you’ve added it to your account. To do this, users would need to establish an SSH keypair and add the public key to their accounts’ SSH key settings. The SSH protocol used by GitHub allows you to log in without a user name or password. ![]()
0 Comments
Read More
Leave a Reply. |