How does GitHub handle push security?
When I setup my computer for Git, I generate a private and public SSH key. I then let GitHub know what my public key is. My understanding is that public keys can encrypt messages, and the private key de-crypts it. So I can understand how github can send me encrypted messages via SSH.
However, my question is that when I push to GitHub, how does it know that it is me who is doing the push? Couldn’t someone else create a their own SSH key with with my name and email, and then push to my GitHub Repository?
- GIT Commits doesn't show login
- Failed to add the host to the list of known hosts - Accidentally removed all files from my .ssh folder
- Why does ssh-agent need root access?
- bad configuration option in git
- Jenkins CLI Authentication
- ssh agent forwarding not working on ec2
I doubt this is the case, so what are the security measures that are in place for this? Thanks!
One Solution collect form web for “How does GitHub handle push security?”
GitHub has a copy of your public key, which has more information than just your name and e-mail address. It has a unique fingerprint that cannot be reproduced by generating a forged public key (at least not without a massive brute-force attack or some unanticipated mathematical breakthrough).
The way the ssh protocol works, GitHub sees an ssh connection that it authenticates against your public key. Such a connection can only be created by someone who has a copy of your private key.
GitHub doesn’t have a copy of your private key, but it can verify that you do. (That’s what public key cryptography is all about.)