v1.401 2025-06-20

What's Changed

• Update key exchange algorithms (GitHub #64):

  • Add mlkem768x25519-sha256, an hybrid post-quantum algorithm which the new default in OpenSSH 10.0. However GitHub doesn't yet support it server side.
  • Add curve25519-sha256, the official (IANA) alias of [email protected] that was already used.
  • Remove diffie-hellman-group-exchange-sha1 which isn't anymore supported by GitHub.

• Force option RequestTTY to no. Because the SSH connections are only used for non-interactive use via Git. (0cf2bb2)

• On Windows:

  • Disable options ControlMaster, ControlPath, ControlPersist to avoid failure "getsockname failed: Not a socket" (86eaeb3).
  • In ssh config, save paths to files using %d instead of ~ to workaround an issue in OpenSSH with tilde expansion when paths use backslashes (698a744, f44952e).

New contributors

Thanks to @agnosticlines for contributions.

Full Changelog: v1.400...v1.401

v1.400 2025-01-22

What's Changed

• Change default key type on key creation to ed25519 (previously rsa) (GitHub #48).
• On key creation, custom key comment provided by -C was ignored (GitHub #46). This is fixed. Thanks to @tinhtruong for the report.
• Fix typo in a comment in ~/.ssh/config: Knwon.
• Improve Windows compatibility (fix in parsing of ssh -V).

New Contributors

• @LeZuse made their first contribution in #52

Full Changelog: v1.306...v1.400

v1.306 2022-06-09

What's Changed

• On key creation, switch default key size from 2048 bits to 4096 bits.

• Update ~/.ssh/known_hosts_github to include only the ssh-ed25519 public keys of GitHub servers (ssh-rsa and ssh-dss keys are removed).

• Disallow ssh-rsa public keys for GitHub servers.

Full Changelog: v1.305...v1.306

v1.305

What's Changed

• Remove MAC algorithm hmac-ripemd160 as it has been removed from OpenSSH 7.6. It is also not supported by GitHub anymore. Thanks to Laggard Kernel for the patch. This had no impact on users as github-keygen does feature detection of OpenSSH.

• Hide warnings about known deprecated OpenSSH options (Protocol, UseRoaming). We still support them to secure old OpenSSH clients.

Full Changelog: v1.304...v1.305

v1.304

Remove key exchange diffie-hellman-group14-sha1 because removed by GitHub. See https://githubengineering.com/crypto-deprecation-notice/

v1.303

Fix SSH options and algorithm support detection that was accidentally disabled since v1.100. This makes github-keygen work with OpenSSH 7.6+ that removed an algorithm.

Fix for support of OpenSSH down to 5.1.

Detect bad permissions on file ~/.ssh/config and report them.

v1.302

Remove UseRoaming option if OpenSSH >= 7.2 on Mac OS X Sierra (issue #31): Sierra has 7.2p2, same as on Ubuntu 16.04, but not same behaviour.

Old OpenSSH compatibility fixes:

• Hide ssh -Q errors (when the option is not supported).
• Do not use %n in ControlPath option.

v1.301

Remove UseRoaming option if OpenSSH >= 7.3 (Mac OS X Sierra, issue #31): this option has been removed from OpenSSH.

v1.300

Changes:

• Keys registered in ~/.ssh/config are now compared with keys registered on GitHub to detect keys unknown to the service. An --offline flag allows to disable this check.
• Development is back on master branch (instead of deleted devel).

v1.200

Changes:

• Add versioning to the generated config. This will allow to detect dangerous attempts at downgrading to an older version of github-keygen.
• Preserve the position of the github-keygen section in ~/.ssh/config. Previously, the section was always put at the end of the file. This was breaking configs were the user had a Host * section at the end of the file to set default settings: as the section was moved above us, those default settings were applied before our own.