Overview
You may have recently encountered an issue related to recent changes made by GitHub, impacting access permissions for SSH keys created by third-party GitHub Apps. The alteration, effective as of October 2, 2024, was intentionally introduced by GitHub to address implicit authorizations for SSH keys generated by certain third-party applications.
GitHub Change Details:
GitHub's statement clarifies the modification:
"Prior to October 2, 2024, SSH keys produced by third-party GitHub Apps and OAuth apps did not require explicit authorization to access SSO protected resources on behalf of a user. Notable third-party GitHub Apps include services such as CircleCI, Shopify, or GitBook."
This was evidently done in response to user feedback, GitHub has taken the initiative to enforce explicit authorization for SSH keys, aligning the access control for these keys with standard user SSH keys. Consequently, when a third-party GitHub App like CircleCI uploads an SSH key on behalf of a user, the app's SSO authorizations are automatically linked to the key, granting it access privileges in line with the app's permissions.
Action Required: Authorization Steps:
To ensure that SSH keys generated through third-party services like CircleCI are duly authorized, manual verification is now mandatory. By following GitHub's provided guidelines on authorizing SSH keys for SAML Single Sign-On (SSO), organization members can extend user keys to additional organizations.
Refer to GitHub's documentation on authorizing an SSH key with SAML Single Sign-On for step-by-step instructions on granting required authorizations.
- https://docs.github.com/en/rest/users/keys?apiVersion=2022-11-28#create-a-public-ssh-key-for-the-authenticated-user
- https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on#authorizing-an-ssh-key
Going forward you will need to authorize your SSH keys as a manual process. Some users have worked around this by authorizing a machine user which gives CircleCI permission to create and upload SSH keys to GitHub on behalf of the machine user.
Comments
Article is closed for comments.