GitHub如何处理推送安全性？ [英] How does GitHub handle push security?

问题描述

当我为Git安装计算机时，我生成了一个私有和公共SSH密钥。然后我让GitHub知道我的公钥是什么。我的理解是公钥可以加密消息，私钥可以加密消息。所以我可以理解github如何通过SSH向我发送加密邮件。 然而，我的问题是，当我推送到GitHub时，它是如何知道我是谁在进行推送？难道其他人无法使用我的名字和电子邮件创建自己的SSH密钥，然后推送到我的GitHub存储库？

我怀疑是这种情况，那么对此采取的安全措施是什么？感谢！

解决方案

GitHub拥有您的公钥副本，其中包含的信息不仅仅是您的姓名和电子邮件地址。它有一个独特的指纹，不能通过生成伪造的公钥来重现（至少不是没有大规模的暴力攻击或一些意料之外的数学突破）。

ssh协议起作用，GitHub会看到一个ssh连接，它会根据您的公钥进行身份验证。这样的连接只能由拥有您的私钥副本的人创建。

GitHub没有私人副本关键，但它可以验证你的确。 （这就是公钥加密术的全部内容。）

When I setup my computer for Git, I generate a private and public SSH key. I then let GitHub know what my public key is. My understanding is that public keys can encrypt messages, and the private key de-crypts it. So I can understand how github can send me encrypted messages via SSH.

However, my question is that when I push to GitHub, how does it know that it is me who is doing the push? Couldn't someone else create a their own SSH key with with my name and email, and then push to my GitHub Repository?

I doubt this is the case, so what are the security measures that are in place for this? Thanks!

解决方案

GitHub has a copy of your public key, which has more information than just your name and e-mail address. It has a unique fingerprint that cannot be reproduced by generating a forged public key (at least not without a massive brute-force attack or some unanticipated mathematical breakthrough).

The way the ssh protocol works, GitHub sees an ssh connection that it authenticates against your public key. Such a connection can only be created by someone who has a copy of your private key.

GitHub doesn't have a copy of your private key, but it can verify that you do. (That's what public key cryptography is all about.)

这篇关于GitHub如何处理推送安全性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！