GitHub Revoked Insecure SSH Keys Generated by a Popular git Client
Oct 12, 2021
 Code hosting platform GitHub has  revoked  weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys.  As an added precautionary measure, the Microsoft-owned company also said it's building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys.   The problematic dependency, called " keypair ," is an open-source SSH key generation library that allows users to create RSA keys for authentication-related purposes. It has been found to impact  GitKraken  versions 7.6.x, 7.7.x, and 8.0.0, released between May 12, 2021, and September 27, 2021.  The flaw — tracked as CVE-2021-41117  (CVSS score: 8.7) — concerns  a bug in the pseudo-random number generator used by the library, resulting in the creation of a weaker form of public SSH keys, which, owing to their low entropy — i.e., the measure of r...