问题
When I setup my computer for Git, I generate a private and public SSH key. I then let GitHub know what my public key is. My understanding is that public keys can encrypt messages, and the private key de-crypts it. So I can understand how github can send me encrypted messages via SSH.
However, my question is that when I push to GitHub, how does it know that it is me who is doing the push? Couldn't someone else create a their own SSH key with with my name and email, and then push to my GitHub Repository?
I doubt this is the case, so what are the security measures that are in place for this? Thanks!
回答1:
GitHub has a copy of your public key, which has more information than just your name and e-mail address. It has a unique fingerprint that cannot be reproduced by generating a forged public key (at least not without a massive brute-force attack or some unanticipated mathematical breakthrough).
The way the ssh protocol works, GitHub sees an ssh connection that it authenticates against your public key. Such a connection can only be created by someone who has a copy of your private key.
GitHub doesn't have a copy of your private key, but it can verify that you do. (That's what public key cryptography is all about.)
来源:https://stackoverflow.com/questions/10625522/how-does-github-handle-push-security