v1.306 2022-06-09

• On key creation, switch default key size from 2048 bits to 4096 bits.

• Update ~/.ssh/known_hosts_github to include only the ssh-ed25519 public keys of GitHub servers (ssh-rsa and ssh-dss keys are removed).

• Disallow ssh-rsa public keys for GitHub servers.

v1.305

• Remove MAC algorithm hmac-ripemd160 as it has been removed from OpenSSH 7.6. It is also not supported by GitHub anymore. Thanks to Laggard Kernel for the patch. This had no impact on users as github-keygen does feature detection of OpenSSH.

• Hide warnings about known deprecated OpenSSH options (Protocol, UseRoaming). We still support them to secure old OpenSSH clients.

v1.304

Remove key exchange diffie-hellman-group14-sha1 because removed by GitHub. See https://githubengineering.com/crypto-deprecation-notice/

v1.303

Fix SSH options and algorithm support detection that was accidentally disabled since v1.100. This makes github-keygen work with OpenSSH 7.6+ that removed an algorithm.

Fix for support of OpenSSH down to 5.1.

Detect bad permissions on file ~/.ssh/config and report them.

v1.302

Remove UseRoaming option if OpenSSH >= 7.2 on Mac OS X Sierra (issue #31): Sierra has 7.2p2, same as on Ubuntu 16.04, but not same behaviour.

Old OpenSSH compatibility fixes:

• Hide ssh -Q errors (when the option is not supported).
• Do not use %n in ControlPath option.

v1.301

Remove UseRoaming option if OpenSSH >= 7.3 (Mac OS X Sierra, issue #31): this option has been removed from OpenSSH.

v1.300

Changes:

• Keys registered in ~/.ssh/config are now compared with keys registered on GitHub to detect keys unknown to the service. An --offline flag allows to disable this check.
• Development is back on master branch (instead of deleted devel).

v1.200

Changes:

• Add versioning to the generated config. This will allow to detect dangerous attempts at downgrading to an older version of github-keygen.
• Preserve the position of the github-keygen section in ~/.ssh/config. Previously, the section was always put at the end of the file. This was breaking configs were the user had a Host * section at the end of the file to set default settings: as the section was moved above us, those default settings were applied before our own.

v1.101

Config: set UseRoaming no to protect against the OpenSSH roaming vulnerability.

v1.100

Changes:

• Config: use the official case for the HostName option (instead of Hostname).
• For the best compatibility of the SSH configuration with old SSH versions, we now look in the ssh_config(5) man page for the list of supported options and unavailable options are then commented with '##'. If the man page is not found, we still use all options.
• On msys platform (bash in msysgit), the ControlMaster option of OpenSSH doesn't work because msys lacks support for passing file descriptors. So we now disable this option on this platform.
• We filter our lists of algorithms (see https://stribika.github.io/2015/01/04/secure-secure-shell.html) against the lists reported by ssh -Q <cipher|mac|kex>. This restores compatibility with OpenSSH versions such as 6.6.1p1 bundled with msysgit that does not support ciphers named aes*[email protected].
• Various fixes/workarounds to restore full support of the old SSH (4.6p1) that is bundled with msysgit (Git on Win32).
• Store the ControlPath in $XDG_RUNTIME_DIR (see the XDG Base Directory Specification) if available.
• Doc fixes: change "Github" to "GitHub".