Skip to main content

Configuring SSH connections to your instance

You can increase the security of your GitHub Enterprise Server instance by configuring the SSH algorithms that clients can use to establish a connection.

Who can use this feature

Site administrators can configure SSH connections to a GitHub Enterprise Server instance.

About SSH connections to your instance

每个 GitHub Enterprise Server 实例都通过两个端口接受 SSH 连接。 站点管理员可以通过 SSH 访问管理 shell,然后运行命令行实用工具、故障排除并执行维护。 用户可以通过 SSH 进行连接,以访问和写入实例存储库中的 Git 数据。 用户对实例没有 shell 访问权限。 有关详细信息,请参阅以下文章。

To accommodate the SSH clients in your environment, you can configure the types of connections that your GitHub Enterprise Server instance will accept.

Configuring SSH connections with RSA keys

When users perform Git operations on your GitHub Enterprise Server instance via SSH over port 22, the client can authenticate with an RSA key. The client may sign the attempt using the SHA-1 hash function. In this context, the SHA-1 hash function is no longer secure. For more information, see SHA-1 on Wikipedia.

By default on GitHub Enterprise Server 3.6 and later, SSH connections that satisfy both of the following conditions will fail.

  • The RSA key was added to a user account on your GitHub Enterprise Server instance after the cutoff date of midnight UTC on August 1, 2022.
  • The SSH client signs the connection attempt with the SHA-1 hash function.

You can adjust the cutoff date. If the user uploaded the RSA key before the cutoff date, the client can continue to connect successfuly using SHA-1 as long as the key remains valid. Alternatively, you can reject all SSH connections authenticated with an RSA key if the client signs the connection using the SHA-1 hash function.

Regardless of the setting you choose for your instance, clients can continue to connect using any RSA key signed with a SHA-2 hash function.

If you use an SSH certificate authority, connections will fail if the certificate's valid_after date is after the cutoff date. For more information, see "About SSH certificate authorities."

For more information, see the GitHub Blog.

  1. SSH into your GitHub Enterprise Server instance. If your instance comprises multiple nodes, for example if high availability or geo-replication are configured, SSH into the primary node. If you use a cluster, you can SSH into any node. For more information about SSH access, see "Accessing the administrative shell (SSH)."

    $ ssh -p 122 admin@HOSTNAME
  2. Audit your instance's logs for connections that use unsecure algorithms or hash functions using the ghe-find-insecure-git-operations utility. For more information, see "Command-line utilities."

  3. To configure a cutoff date after which your GitHub Enterprise Server instance will deny connections from clients that use an RSA key uploaded after the date if the connection is signed by the SHA-1 hash function, enter the following command. Replace RFC-3399-UTC-TIMESTAMP with a valid RFC 3399 UTC timestamp. For example, the default value, August 1, 2022, would be represented as 2022-08-01T00:00:00Z. For more information, see RFC 3339 on the IETF website.

    $ ghe-config app.gitauth.rsa-sha1 RFC-3339-UTC-TIMESTAMP
  4. Alternatively, to completely disable SSH connections using RSA keys that are signed with the SHA-1 hash function, enter the following command.

    ghe-config app.gitauth.rsa-sha1 false
  5. To apply the configuration, enter the following command.

    Note: During a configuration run, services on your GitHub Enterprise Server instance may restart, which can cause brief downtime for users.

  6. Wait for the configuration run to complete.