Configuring SSH connections to your instance

You can increase the security of 你的 GitHub Enterprise Server 实例 by configuring the SSH algorithms that clients can use to establish a connection.

谁可以使用此功能?

Site administrators can configure SSH connections to a GitHub Enterprise Server instance.

本文内容

About SSH connections to your instance

每个 GitHub Enterprise Server 实例都通过两个端口接受 SSH 连接。 站点管理员可以通过 SSH 访问管理 shell,然后运行命令行实用工具、故障排除并执行维护。 用户可以通过 SSH 进行连接,以访问和写入实例存储库中的 Git 数据。 用户对实例没有 shell 访问权限。 有关详细信息,请参阅以下文章。

To accommodate the SSH clients in your environment, you can configure the types of connections that 你的 GitHub Enterprise Server 实例 will accept.

Configuring SSH connections with RSA keys

When users perform Git operations on 你的 GitHub Enterprise Server 实例 via SSH over port 22, the client can authenticate with an RSA key. The client may sign the attempt using the SHA-1 hash function. In this context, the SHA-1 hash function is no longer secure. For more information, see SHA-1 on Wikipedia.

By default, SSH connections that satisfy both of the following conditions will fail.

  • RSA 密钥在 2022 年 8 月 1 日午夜 UTC 截止日期之后添加到 你的 GitHub Enterprise Server 实例 上的用户帐户。
  • SSH 客户端使用 SHA-1 哈希函数对连接尝试进行签名。

You can adjust the cutoff date. If the user uploaded the RSA key before the cutoff date, the client can continue to connect successfully using SHA-1 as long as the key remains valid. Alternatively, you can reject all SSH connections authenticated with an RSA key if the client signs the connection using the SHA-1 hash function.

Regardless of the setting you choose for your instance, clients can continue to connect using any RSA key signed with a SHA-2 hash function.

If you use an SSH certificate authority, connections will fail if the certificate's valid_after date is after the cutoff date. For more information, see "关于 SSH 认证中心."

For more information, see the GitHub Blog.

  1. 通过 SSH 连接到 你的 GitHub Enterprise Server 实例。 如果实例包含多个节点,例如,如果配置了高可用性或异地复制,则通过 SSH 连接到主节点。 如果使用群集,则可以通过 SSH 连接到任何节点。 将 HOSTNAME 替换为实例的主机名,或节点的主机名或 IP 地址。 有关详细信息,请参阅“访问管理 shell (SSH)”。

    Shell
    ssh -p 122 admin@HOSTNAME

  2. Audit your instance's logs for connections that use unsecure algorithms or hash functions using the ghe-find-insecure-git-operations utility. For more information, see "命令行实用程序."

  3. To configure a cutoff date after which 你的 GitHub Enterprise Server 实例 will deny connections from clients that use an RSA key uploaded after the date if the connection is signed by the SHA-1 hash function, enter the following command. Replace RFC-3399-UTC-TIMESTAMP with a valid RFC 3399 UTC timestamp. For example, the default value, August 1, 2022, would be represented as 2022-08-01T00:00:00Z. For more information, see RFC 3339 on the IETF website.

    $ ghe-config app.gitauth.rsa-sha1 RFC-3339-UTC-TIMESTAMP

  4. Alternatively, to completely disable SSH connections using RSA keys that are signed with the SHA-1 hash function, enter the following command.

    ghe-config app.gitauth.rsa-sha1 false

  5. 若要应用配置,请运行以下命令。

    注意:在配置运行过程中,你的 GitHub Enterprise Server 实例 上的服务可能会重启,这可能会导致用户短暂停机。

    Shell
    ghe-config-apply

  6. 等待配置运行完毕。