55087

How does GitHub handle push security?

Question:

When I setup my computer for Git, I generate a private and public SSH key. I then let GitHub know what my public key is. My understanding is that public keys can encrypt messages, and the private key de-crypts it. So I can understand how github can send me encrypted messages via SSH.

However, my question is that when I push to GitHub, how does it know that it is me who is doing the push? Couldn't someone else create a their own SSH key with with my name and email, and then push to my GitHub Repository?

I doubt this is the case, so what are the security measures that are in place for this? Thanks!

Answer1:

GitHub has a copy of your public key, which has more information than just your name and e-mail address. It has a unique fingerprint that cannot be reproduced by generating a forged public key (at least not without a massive brute-force attack or some unanticipated mathematical breakthrough).

The way the ssh protocol works, GitHub sees an ssh connection that it authenticates against your public key. Such a connection can <em>only</em> be created by someone who has a copy of your private key.

GitHub doesn't have a copy of your private key, but it can verify that you do. (That's what <a href="http://en.wikipedia.org/wiki/Public_key_cryptography" rel="nofollow">public key cryptography</a> is all about.)

Recommend

  • Store password in application
  • Getting JavaScript runtime error: irrationalPath, what does it mean?
  • Success handler not working after Symfony2 login
  • Issue when joining serf nodes located in different Docker containers
  • how to automatically enter password when using ssh?
  • DotNetOpenAuth - how to uniquely identify Google users?
  • Whats the best way of persisting data to Isolated Storage on Windows Phone 7?
  • Installing apk from within application in android
  • Unique SMS sender id?
  • Paypal 'Buy Now' button not letting me dynamically set the price
  • 3.0.0.M1: SSL - Invalid keystore format
  • Zeromq with python hangs if connecting to invalid socket
  • Convert RSA pem key String to der byte[]
  • Angular Bootstrap Carousel Slide Transition not working correctly
  • Local Development, Apache vs Developer - file permissions
  • Embedded Glassfish JPA Datasource connection fail
  • HttpListener.IsSupported is false on XP SP3
  • how do i write assembly code from c#?
  • Enabling DTD support in Sql Server
  • GAE: Way to get reference to an HttpSession from its ID?
  • Does Mobilefirst provide a provision to access web services directly?
  • Silverlight DependencyProperty.SetCurrentValue Equivalent
  • Ajax Loaded meta Tags
  • Using jQuery closest() method with class selector
  • Xamarin Forms - UWP Fonts
  • C# - Is there a limit to the size of an httpWebRequest stream?
  • Array.prototype.includes - not transformed with babel
  • Updating server-side rendering client-side
  • Shallow update not allowed (git > 1.9)
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • How to make Safari send if-modified-since header?
  • How to pass list parameters for each object using Spring MVC?
  • How do I rollback to a specific git commit
  • Arrays break string types in Julia
  • Revoking OAuth Access Token Results in 404 Not Found
  • Why can't I rebase on to an ancestor of source changesets if on a different branch?
  • Setting background image for body element in xhtml (for different monitors and resolutions)
  • sending mail using smtp is too slow
  • JaxB to read class hierarchy
  • How to push additional view controllers onto NavigationController but keep the TabBar?