SSH keys generated turned out to be identical to someone on github

You heard it. I quickly generated an ed25519 ssh keypair locally and used it to commit changes to my public facing ansible pull github repo (intial server config). A few days later, I am looking at my repository on github and found that a strange person made commits to my repo. I took a look at the commits and they were the ones I made. This only means one thing, the keys I generated on my laptop are identical to someone on github who has the same public ssh key added to their account globally. This means I have write access to all of their repos with the key I generated.

Are the changes of this occurring very slim?
How can I protect myself from someone else in the world who just so happens to generate the same keys?

This is scaring me and I might enable password authentication along side with requiring a public key and not just have it public key authentication for ssh.

This video can give you an idea of just how likely that is to be true. A key collisions is not the likely answer as to what happened unless there is a common and flawed system being used to make the keys.

1 Like

I uploaded the key to my github repo with write access and when I commited, it showed another user commiting the change.

This is not me. But shows up as that user when I do any commits using the ssh keys I generated.

I admit this looks strange. But I’m with Tom here that the chances of you generating an already existing key pair are close to zero.

You can actually look at the keys that particular user has listed in their profile:
They won’t match your generated key, given that they are RSA keys (as of writing this).

Git (and apparently also Github, for that matter) distinguishes between the person who authors a code change and the person who commits a code change. Most likely explanation for me right now is that there is some sort of misconfiguration on your workstation. Taken from “Why is my commit associated with the wrong person?”:

If you’re working locally, you can tell Git who authored a set of changes by using the --author flag with git commit. […] If you don’t specify any authors, the and from your local Git configuration will be used by default. […] Whether you work locally or on GitHub, we use the email address(es) from this author information to associate GitHub accounts with commits in most places on our site, including contributions graphs and the commits list.

If you’re still confused about the author, committer, or pusher of a commit on GitHub, contact the Support Team ! We’ll be happy to help.


Thank you sir. This is the perfect explanation of what is occurring.