Detect leaked ssh keys in backup snapshots#253
Merged
Conversation
This adds detection of leaked SSH host keys in backup snapshots. Detection has been added to the backup as well as restore scripts. A standalone script is also provided to verify the status of all snapshots or individual backup snapshots. Example of a restore run: ``` $./bin/ghe-restore -v -f * Leaked key found in backup snapshot. * Snapshot file: /home/dev/backup-utils-private/data/20160826T114243/ssh-host-keys.tar * Key file: ssh_host_rsa_key.pub * Key: c5:23:20:32:3d:c3:23:e5:64:36:e2:09:c9:47:41:12 * The snapshot that is being restored contains a leaked SSH host key. * We recommend rolling the SSH host keys after completing the restore. * Roll the keys either manually or with ghe-ssh-roll-host-keys on the appliance. * (An upgrade may be required) ``` Example standalone run: ``` $>./share/githup-backup-utils/ghe-detect-leaked-ssh-keys * Leaked key found in backup snapshot. * Snapshot file: /home/dev/backup-utils-private/data/20160826T114243/ssh-host-keys.tar * Key file: ssh_host_rsa_key.pub * Key: c5:23:20:de:3d:c3:c9:e5:64:23:a1:09:c9:47:41:12 * Leaked key found in current backup snapshot. * Snapshot file: /home/dev/backup-utils-private/data/20160614T045039/ssh-host-keys.tar * Key file: ssh_host_rsa_key.pub * Key: c5:11:20:ac:3d:c3:c9:e5:54:36:a1:09:c9:47:41:45 * The current backup contains leaked SSH host keys. * current backup directory: /home/dev/backup-utils-private/data/20160614T045039 * We strongly recommend rolling your SSH host keys with ghe-ssh-roll-host-keys and making a new backup. * One or more older backup snapshots that contain leaked SSH host keys, * No immediate action is needed but when you use one of these older snapshots for a restore, please make sure to roll the SSH host keys after restore. * Roll the keys either manually or with ghe-ssh-roll-host-keys on the appliance. * (An upgrade may be required) ```
rubiojr
added a commit
that referenced
this pull request
Sep 20, 2016
Bug fixes and required tooling to detect SSH host keys that should be blacklisted, see https://enterprise.github.com/releases/2.7.4/notes * Cluster: fix offline cluster node detection #253 * Detect leaked ssh keys in backup snapshots @250
Merged
rubiojr
added a commit
that referenced
this pull request
Sep 20, 2016
Bug fixes and required tooling to detect SSH host keys that should be blacklisted, see https://enterprise.github.com/releases/2.7.4/notes * Cluster: fix offline cluster node detection #253 * Detect leaked ssh keys in backup snapshots @250
rubiojr
added a commit
that referenced
this pull request
Sep 20, 2016
Bug fixes and required tooling to detect SSH host keys that should be blacklisted, see https://enterprise.github.com/releases/2.7.4/notes * Cluster: fix offline cluster node detection #253 * Detect leaked ssh keys in backup snapshots #250
rubiojr
added a commit
that referenced
this pull request
Sep 20, 2016
Bug fixes and required tooling to detect SSH host keys that should be blacklisted, see https://enterprise.github.com/releases/2.7.4/notes * Cluster: fix offline cluster node detection #250 * Detect leaked ssh keys in backup snapshots #253
dooleydevin
added a commit
that referenced
this pull request
Nov 10, 2022
Sync with v3.7.0 of public backup-utils
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds detection of leaked SSH host keys in backup snapshots.
Detection has been added to the backup as well as restore scripts. A standalone script is also provided to verify the status of all snapshots or individual backup snapshots.
Example of a restore run:
Example standalone run:
/cc @github/backup-utils