{"id":13551007,"url":"https://github.com/dolmen/github-keygen","last_synced_at":"2025-05-16T07:02:34.401Z","repository":{"id":1486927,"uuid":"1734466","full_name":"dolmen/github-keygen","owner":"dolmen","description":"Easy creation of secure SSH configuration for your GitHub account(s)","archived":false,"fork":false,"pushed_at":"2025-02-04T23:06:08.000Z","size":876,"stargazers_count":259,"open_issues_count":26,"forks_count":25,"subscribers_count":11,"default_branch":"release","last_synced_at":"2025-05-13T06:11:14.664Z","etag":null,"topics":["cli-app","github","ssh","ssh-client","ssh-config","tool"],"latest_commit_sha":null,"homepage":"","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dolmen.png","metadata":{"files":{"readme":"README.pod","changelog":null,"contributing":"CONTRIBUTING.pod","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2011-05-11T17:51:04.000Z","updated_at":"2025-04-28T21:07:47.000Z","dependencies_parsed_at":"2025-01-28T13:16:26.439Z","dependency_job_id":"5fa511be-c71f-454c-8e95-dfc4bbf26967","html_url":"https://github.com/dolmen/github-keygen","commit_stats":{"total_commits":250,"total_committers":5,"mean_commits":50.0,"dds":"0.016000000000000014","last_synced_commit":"a2274f023abc457401fcb56db46cb1936718002b"},"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolmen%2Fgithub-keygen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolmen%2Fgithub-keygen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolmen%2Fgithub-keygen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolmen%2Fgithub-keygen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dolmen","download_url":"https://codeload.github.com/dolmen/github-keygen/tar.gz/refs/heads/release","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254485025,"owners_count":22078764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli-app","github","ssh","ssh-client","ssh-config","tool"],"created_at":"2024-08-01T12:01:41.045Z","updated_at":"2025-05-16T07:02:34.339Z","avatar_url":"https://github.com/dolmen.png","language":"Perl","readme":"=pod\n\n=encoding utf8\n\n=for stopwords MITM versioning\n\n=head1 NAME\n\ngithub-keygen - bootstrap your GitHub SSH configuration\n\n=head1 SYNOPSIS\n\nUnix/Linux/MacOS X:\n\n    git clone https://github.com/dolmen/github-keygen.git\n    cd github-keygen\n    ./github-keygen \u003cmy-github-username\u003e\n    cd ..\n    rm -Rf github-keygen\n\nWindows (with msysgit or Cygwin):\n\n    git clone https://github.com/dolmen/github-keygen.git\n    cd github-keygen\n    github-keygen \u003cmy-github-username\u003e\n    cd ..\n    rd /S /Q github-keygen\n\n=head1 DESCRIPTION\n\nThis script makes it easy to create an initial environment setup for secure\nGitHub exchanges. More secure that what the GitHub help pages recommends.\n\nBut it does much more than that:\n\n=over 4\n\n=item *\n\nThis tool B\u003cautomates the SSH setup\u003e. Fewer human errors. And\na high level of security.\n\n=item *\n\nIt creates a new SSH B\u003cprivate key dedicated\u003e to GitHub exchanges. This is much\nbetter than using the same SSH key to connect to multiple hosts.\n(If you lose that key, just revoke it in\nL\u003cyour GitHub account SSH settings|https://github.com/settings/keys\u003e, remove the\nkey file, and re run C\u003cgithub-keygen\u003e).\n\n=item *\n\nAs the process of creating an different SSH key for GitHub now becomes easy, it\nis now much easier to use a different SSH key for GitHub on each computer\nyou use to publish on GitHub. This will help you to use the best practices in\nSSH security.\n(If you lose that computer or if it is compromised, just revoke the key in\nL\u003cyour GitHub account SSH settings|https://github.com/settings/keys\u003e:\nyou don't have to recreate a new key on all your other computers).\n\n=item *\n\nThe\nL\u003cGitHub manual|https://help.github.com/articles/generating-ssh-keys\u003e used to tell to\nI\u003cremove\u003e your existing SSH keys. But this may not be what you want. This tool\navoids that: keep your keys and your existing SSH config; they will not be used\nfor GitHub.\n\n=item *\n\nIt setups a B\u003cvery secure SSH configuration for GitHub\u003e, independent of your\nother SSH settings:\n\n=over 4\n\n=item *\n\nEnable only the authentication method used with GitHub (C\u003cpublickey\u003e)\n\n=item *\n\nUse only the private key dedicated to GitHub (the C\u003cIdentitiesOnly\u003e of SSH\nconfig)\n\n=item *\n\nSetup a dedicated F\u003cknown_hosts\u003e file with the GitHub SSH hosts and enable\nstrict host checking (this means that if you get SSH alerts about host key\nproblem when connecting to GitHub, this is really a serious error and you\nshould check that someone is not altering your network link).\n\n=item *\n\nUse stronger encryption algorithms than your default SSH setup (following\nL\u003c@stribika advices|https://stribika.github.io/2015/01/04/secure-secure-shell.html\u003e; this is a \"best effort\" that depends on your OpenSSH being recent enough);\n\n=item *\n\nDisable bad things that could come from the GitHub hosts (\"Trust no-one\")\n\n=item *\n\nDisable the C\u003cUseRoaming\u003e option to protect you if ever GitHub (or a MITM) tries\nto exploit the\nL\u003cC\u003cOpenSSH roaming\u003e vulnerability|https://www.openssh.com/txt/release-7.1p2\u003e.\n\n=back\n\n=item *\n\nIt enables SSH connection sharing (see the C\u003cControlMaster\u003e option in\nL\u003cssh_config(5)\u003e and L\u003cthis blog post|http://interrobeng.com/2013/08/25/speed-up-git-5x-to-50x/\u003e)\n\n=item *\n\nIt creates unique host aliases for github.com/gist.github.com that you'll be\nable to use in Git URLs (C\u003cgit remote\u003e) to connect to a particular account.\nThis gives the flexibility to use B\u003cmultiple GitHub accounts\u003e (and therefore a\ndifferent SSH key for each).\n\n    \u003caccount\u003e.github.com:\u003crepo-owner\u003e/\u003crepo\u003e.git  (for each account)\n    github.com:\u003crepo-owner\u003e/\u003crepo\u003e.git            (for the default account)\n\nin addition to:\n\n    git@github.com:\u003crepo-owner\u003e/\u003crepo\u003e.git\n\n=back\n\nThis script will:\n\n=over 4\n\n=item *\n\nCreate a new SSH key dedicated only to your GitHub connections in\nF\u003c~/.ssh/id_I\u003cE\u003clt\u003egithub-accountE\u003cgt\u003e\u003e@github\u003e\n\n=item *\n\nCreate the SSH configuration optimized for GitHub and dedicated to GitHub\n(does not impact your other SSH configurations) in F\u003c~/.ssh/config\u003e.\n\n=item *\n\nInstall the GitHub SSH host authentication fingerprints in\nF\u003c~/.ssh/known_hosts_github\u003e\n\n=back\n\n=head1 TRUST\n\nAs with any software that deals with the security of your computer or of communications\nwith other computers (operating system, anti-virus, HTTPS implementation,\npassword storage...), you have to be able to trust it. (If you haven't ever\nasked yourself that question about the software you already use, you should!)\n\nHere are some arguments that should help you to make your choice:\n\n=over 4\n\n=item *\n\nC\u003cgithub-keygen\u003e is written in a scripting language (Perl 5), so the code that\nruns is the code in the script. You can audit it (or ask someone who you\ntrust to do it for you) to trust it. The author is a full time professional\nPerl developer who is well aware of all Perl best practices and works daily\non Perl code maintained by a team, so the source is not the spaghetti plate\nfor which Perl 5 got shame.\n\n=item *\n\nWhen running, C\u003cgithub-keygen\u003e generates files locally on your system. It\nconnects to github.com using public URLs only to check if your keys are\nproperly setup on the server side. You can disable this feature with the\nC\u003c--offline\u003e flag.\n\n=item *\n\nC\u003cgithub-keygen\u003e only generates configuration files for OpenSSH. So:\n\n=over 4\n\n=item *\n\nAfter running C\u003cgithub-keygen\u003e, you can (and should) audit that config to\ncheck the changes it did to your system before connecting to any SSH hosts.\n\n=item *\n\nNo part of that configuration is directly executable: it is just\ndata that OpenSSH will use.\n\n=item *\n\nNo executable parts of C\u003cgithub-keygen\u003e will run after that (the tool itself is\nnot installed in your system) and you can even delete it: the configuration it\nproduced will still work.\n\n=back\n\n=item *\n\nC\u003cgithub-keygen\u003e is very conservative in what it does to your SSH config (which\nmeans it will not corrupt what it didn't generate itself), so don't worry about\nconfiguration you may already have in your F\u003c~/.ssh/config\u003e: it will be kept as\nis. (still, bugs may be present, so read the license before using the software).\n\n=item *\n\nI (Olivier MenguE\u003ceacute\u003e) am not an expert in software security. However this\nlist should show you that I care enough about security to have thought about many\nissues, and thought to design the software to have trust in it at least as much\n(in fact much more) than in other security software I use every day.\n\n=back\n\n\nI'm using the SSH configuration generated by this tool every day on multiple\ncomputers, so you can trust that any change on GitHub side that may affect that\nconfig will be immediately detected by the author and upgrades will be\nmade available quickly.\n\n=head1 INSTALL\n\nC\u003cgithub-keygen\u003e is not really the kind of software you have to install. This is\nmore like a wizard that you use just once. So just get the file, run it, and\ndelete it.\n\nI\u003cWindows only\u003e: the tool is written in Perl, but you don't have to install\nL\u003cStrawberryPerl|https://strawberryperl.com\u003e (or Cygwin or ActivePerl); the perl\nbundled with L\u003cmsysgit|https://gitforwindows.org/\u003e will be automatically\ndetected and used.\n\nFetch the script from GitHub:\n\n    git clone https://github.com/dolmen/github-keygen.git\n    cd github-keygen\n\nUnix/Linux only: install the optional C\u003cxclip\u003e tool (using your package\nmanager). It will be used to copy your public key to the X11 clipboard once\ncreated.\n\n=head1 UPGRADE\n\nTo upgrade your config to the latest one, update C\u003cgithub-keygen\u003e and relaunch\nit. It will update your F\u003c~/.ssh/config\u003e and show you the diff of what it\nchanged:\n\n    cd github-keygen\n    git rebase\n    ./github-keygen\n\n=head1 HISTORY\n\nI\u003cNote:\u003e As C\u003cgithub-keygen\u003e is released with Git on GitHub, you can simply use\nthe diff feature of Git/GitHub to view exactly what happened between two\nreleases. And you can also have a look at\nL\u003cthe commit log|https://github.com/dolmen/github-keygen/commits/release\u003e.\n\n=over 4\n\n=item v1.400\n\nChange default key type on key creation to C\u003ced25519\u003e (previously C\u003crsa\u003e)\n(L\u003cGitHub #48|https://github.com/dolmen/github-keygen/issues/48\u003e).\n\nOn key creation, custom key comment provided by C\u003c-C\u003e was ignored\n(L\u003cGitHub #46|https://github.com/dolmen/github-keygen/issues/46\u003e). This is\nfixed.  Thanks to L\u003c@tinhtruong|https://github.com/tinhtruong\u003e for the report.\n\nFix typo in a comment in F\u003c~/.ssh/config\u003e: \"I\u003cKnwon\u003e\".\n\nImprove Windows compatibility (fix in parsing of C\u003cssh -V\u003e). \n\n=item v1.306\n\nOn key creation, switch default key size from 2048 bits to 4096 bits.\n\nUpdate C\u003c~/.ssh/known_hosts_github\u003e to include only the C\u003cssh-ed25519\u003e public\nkeys of GitHub servers (`ssh-rsa` and `ssh-dss` keys are removed).\n\nDisallow C\u003cssh-rsa\u003e public keys for GitHub servers.\n\n=item v1.305\n\nRemove MAC algorithm C\u003chmac-ripemd160\u003e as it has been\nL\u003cremoved from OpenSSH 7.6|https://www.openssh.com/txt/release-7.6\u003e.\nIt is also not supported by GitHub anymore.\nThanks to [Laggard Kernel](https://github.com/laggardkernel) for the patch.\n\nHide warnings about known deprecated OpenSSH options (C\u003cProtocol\u003e, C\u003cUseRoaming\u003e).\nWe still support them to secure old OpenSSH clients. \n\n=item v1.304\n\nRemove algorithm C\u003cdiffie-hellman-group14-sha1\u003e as it has been removed server side\nby GitHub: see L\u003chttps://githubengineering.com/crypto-deprecation-notice/\u003e.\n\n=item v1.303\n\nFix SSH options and algorithm support detection that was accidentally disabled since v1.100.\nThis makes github-keygen work with OpenSSH 7.6+ that removed an algorithm.\n\nFix for support of OpenSSH down to 5.1.\n\nDetect bad permissions on F\u003c~/.ssh/config\u003e and report them.\n\n=item v1.302\n\nRemove C\u003cUseRoaming\u003e option if OpenSSH \u003e= 7.2 on Mac OS X Sierra\n(L\u003cissue #31|https://github.com/dolmen/github-keygen/issues/31\u003e): Sierra\nhas 7.2p2, same as on Ubuntu 16.04, but not same behaviour.\n\nOld OpenSSH compatibility fixes:\n\n=over 4\n\n=item *\n\nHide C\u003cssh -Q\u003e errors (when the option is not supported).\n\n=item *\n\nDo not use C\u003c%n\u003e in C\u003cControlPath\u003e option.\n\n=back\n\n=item v1.301\n\nRemove C\u003cUseRoaming\u003e option if OpenSSH \u003e= 7.3\n(Mac OS X Sierra,\nL\u003cissue #31|https://github.com/dolmen/github-keygen/issues/31\u003e):\nthis option has been removed from OpenSSH.\n\n=item v1.300\n\nKeys registered in F\u003c~/.ssh/config\u003e are now compared with keys registered on\nL\u003cGitHub|https://github.com/settings/keys\u003e to detect keys unknown to the\nservice. An C\u003c--offline\u003e flag allows to disable this check.\n\nDevelopment is back on C\u003cmaster\u003e branch (instead of deleted C\u003cdevel\u003e).\n\n=item v1.200\n\nAdd versioning to the generated config. This will allow to detect dangerous\nattempts at downgrading to an older version of github-keygen.\n\nPreserve the position of the github-keygen section in F\u003c~/.ssh/config\u003e.\nPreviously, the section was always put at the end of the file. This was\nbreaking configs were the user had a C\u003cHost *\u003e section at the end of the file\nto set default settings: as the section was moved above us, those default\nsettings were applied before our own.\n\n=item v1.101\n\nConfig: set C\u003cUseRoaming no\u003e to protect against the\nL\u003cC\u003cOpenSSH roaming\u003e vulnerability|https://www.openssh.com/txt/release-7.1p2\u003e.\n\n=item v1.100\n\nConfig: use the official case for the C\u003cHostName\u003e option (instead of\nC\u003cHostname\u003e).\n\nFor the best compatibility of the SSH configuration with old SSH versions, we\nnow look in the L\u003cssh_config(5)\u003e man page for the list of supported options\nand unavailable options are then commented with '##'. If the man page is not\nfound, we still use all options.\n\nOn msys platform (bash in L\u003cmsysgit|https://gitforwindows.org/\u003e), the\nC\u003cControlMaster\u003e option of OpenSSH doesn't work because msys lacks support for\npassing file descriptors. So we now disable this option on this platform.\n\nWe filter our L\u003clists of\nalgorithms|https://stribika.github.io/2015/01/04/secure-secure-shell.html\u003e\nagainst the lists reported by C\u003cssh -Q E\u003clt\u003ecipher|mac|kexE\u003cgt\u003e\u003e. This restores\ncompatibility with OpenSSH versions such as 6.6.1p1 bundled with msysgit\nthat does not support ciphers named C\u003caes*-gcm@openssh.com\u003e.\n\nVarious fixes/workarounds to restore full support of the old SSH (4.6p1) that\nis bundled with msysgit (Git on Win32).\n\nStore the C\u003cControlPath\u003e in C\u003c$XDG_RUNTIME_DIR\u003e (see the\nL\u003cXDG Base Directory Specification|https://specifications.freedesktop.org/basedir-spec/latest/#variables\u003e)\nif available.\n\nDoc fixes: change \"Github\" to \"GitHub\".\n\n=item v1.020\n\nB\u003cImprove SSH encryption\u003e by selecting L\u003cstronger algorithms recommended by\n@stribika|https://stribika.github.io/2015/01/04/secure-secure-shell.html\u003e:\nC\u003caes256-ctr\u003e instead of C\u003caes128-ctr\u003e, and C\u003chmac-sha2-512\u003e instead of C\u003chmac-sha1\u003e.\n\nOpen the F\u003c~/.ssh/known_hosts_github\u003e with mode 0600 before\ninitializing/updating it.\n\n=item v1.011\n\nCreate F\u003c~/.ssh\u003e with rights 0700 if it doesn't exists because L\u003cssh-keygen(1)\u003e\nwill fail if it is missing.\n\nAdd support for host C\u003cssh.github.com\u003e for\nL\u003cSSH over https port|https://docs.github.com/en/authentication/troubleshooting-ssh/using-ssh-over-the-https-port\u003e.\nAdd C\u003c*.ssh.github.com\u003e host aliases for Git.\nUsers should run again C\u003cgithub-keygen\u003e (without argument) to enable those new\nfeatures.\n\nFixed L\u003cissue #13|https://github.com/dolmen/github-keygen/issues/13\u003e: default\nGitHub account set with `--default` option was lost when running again\nC\u003cgithub-keygen\u003e without repeating the setting. The issue existed since v1.004.\n\n=item v1.010\n\nDarwin: implemented pasting the public key to the clipboard. Thanks to Vincent\nPit for testing!\n\n=item v1.009\n\nAdded support for dashes in GitHub usernames. Thanks Pedro Figueiredo!\n\n=item v1.008\n\nAdded connection sharing: connection to GitHub is kept alive for 60\nseconds. This speeds-up any script that do multiple sequential Git interactions\nwith GitHub.\n\n=item v1.007\n\nFixed a message that wrongly told to paste the I\u003cprivate\u003e key (C\u003c'.pub'\u003e\nforgotten). Fixed at the\nL\u003cQuack and Hack 2012 Europe hackathon|https://act.yapc.eu/qh2012eu/\u003e,\nbut released (too) long later.\n\n=item v1.006\n\nUI improvement: when keys are created, the message about what to do with the\nkey is now shown at the end, after the diff instead of before.\n\n=item v1.005\n\nNo functional changes.\n\nUpdated Pod::Simple to 3.23. Updated copyright.\n\n=item v1.004\n\nChanges for compatibility with msysgit's bundled perl (an antique 5.8.8\nwith major core modules missing: C\u003cPod::*\u003e). So no changes for Unix users, but\na big improvement for all Windows+msysgit users: no need to install\nStrawberryPerl just for C\u003cgithub-keygen\u003e!\n\n=item v1.003\n\nNo changes in the C\u003cgithub-keygen\u003e code, but the fatpacked build has been\ntweaked to use a better list of packed modules. This should improve\ncompatibility.\n\nDocumentation fixes.\n\n=item v1.002\n\nNo functional changes, but distribution changes: branch C\u003cmaster\u003e abandoned\nand replaced by C\u003crelease\u003e (build result) and C\u003cdevel\u003e (source).\n\nC\u003cgithub-keygen\u003e is now L\u003cfatpacked|https://metacpan.org/module/App::FatPacker\u003e\nfrom C\u003cbin/github-keygen\u003e in the C\u003cdevel\u003e branch with\nL\u003chttps://metacpan.org/module/Pod::Usage|Pod::Usage\u003e and\nL\u003chttps://metacpan.org/module/Text::Diff|Text::Diff\u003e, so those modules do not\nhave to be installed before usage.\n\n=item v1.001 and before\n\nSee the git log.\n\n=back\n\n=head1 BUGS\n\nC\u003cgithub-keygen\u003e requires a Perl runtime. It is regularly tested in the\nfollowing environments:\n\n=over 4\n\n=item *\n\nUbuntu with perl 5.14.2\n\n=item *\n\nWindows with StrawberryPerl (5.12.1 and above) and msysgit\n\n=item *\n\nWindows with msysgit's antique perl 5.8.8.\n\n=back\n\nKnown issues:\n\n=over 4\n\n=item *\n\non Win32, F\u003c~/.ssh/config\u003e is always written in CRLF end-of-line style. This is\nnot a bug, it's a feature.\n\n=back\n\n\n=head1 SUPPORT\n\nIRC: ask C\u003cdolmen\u003e on C\u003circ.perl.org\u003e.\n\nOr fill an issue at GitHub: L\u003chttps://github.com/dolmen/github-keygen/issues\u003e\n\n=head1 AUTHOR\n\nOlivier MenguE\u003ceacute\u003e, L\u003cmailto:dolmen@cpan.org\u003e.\n\n=head2 Thanks\n\nL\u003cEric Lefevre|https://github.com/elefevre\u003e: documentation patch.\n\nL\u003cEu Beng Hee|https://github.com/ahbeng\u003e: L\u003cblog post about SSH connection sharing|http://interrobeng.com/2013/08/25/speed-up-git-5x-to-50x/\u003e that inspired\nchanges in 1.008.\n\nL\u003cPedro Figueiredo|https://github.com/pfig\u003e: support for GitHub account with\ndashes (v1.009).\n\nIf you want to contribute, have a look to L\u003cCONTRIBUTING.pod\u003e.\n\n=head1 COPYRIGHT \u0026 LICENSE\n\nCopyright E\u003ccopy\u003e 2011-2025 Olivier MenguE\u003ceacute\u003e.\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see L\u003chttps://www.gnu.org/licenses/\u003e.\n\n=cut\n","funding_links":[],"categories":["Perl","github","Apps"],"sub_categories":["*SSH* keys / Authentication"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdolmen%2Fgithub-keygen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdolmen%2Fgithub-keygen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdolmen%2Fgithub-keygen/lists"}