When I setup my computer for Git, I generate a private and public SSH key. I then let GitHub know what my public key is. My understanding is that public keys can encrypt messages, and the private key de-crypts it. So I can understand how github can send me encrypted messages via SSH.
However, my question is that when I push to GitHub, how does it know that it is me who is doing the push? Couldn't someone else create a their own SSH key with with my name and email, and then push to my GitHub Repository?
I doubt this is the case, so what are the security measures that are in place for this? Thanks!Answer1:
GitHub has a copy of your public key, which has more information than just your name and e-mail address. It has a unique fingerprint that cannot be reproduced by generating a forged public key (at least not without a massive brute-force attack or some unanticipated mathematical breakthrough).
The way the ssh protocol works, GitHub sees an ssh connection that it authenticates against your public key. Such a connection can <em>only</em> be created by someone who has a copy of your private key.
GitHub doesn't have a copy of your private key, but it can verify that you do. (That's what <a href="http://en.wikipedia.org/wiki/Public_key_cryptography" rel="nofollow">public key cryptography</a> is all about.)