LengKundee/MQL5-Google-Onedrive
LengKundee/MQL5-Google-Onedrive
0
0
Fork 1
mirror of https://github.com/A6-9V/MQL5-Google-Onedrive.git synced 2026-04-10 22:30:56 +00:00
Code Issues Projects Releases 1 Packages Activity Actions
MQL5-Google-Onedrive/docs/SSH_KEY_AUDIT.md
copilot-swe-agent[bot] 4c6a82a957 Add SSH key investigation documentation and audit report 
Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com>
2026-02-18 01:16:35 +00:00

162 lines
4.8 KiB
Markdown
Raw Permalink Blame History

# SSH Key Audit Report
**Date**: 2026-02-18
**Requested by**: @mouy-leng
**Issue**: Investigation of ECDSA SSH key usage
## SSH Key Details
```
Type: ecdsa-sha2-nistp256
Key: AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLjxGzOnZXj7/4tvo0PkaMFMYVzr+0lK2ZruE0FH4upnCFo//O140zhutN61/4qiDGD+ESsKTsUJil0q9o72dXQ=
Comment: #ssh.id - @mouy-leng
```
## Investigation Summary
### Repository Search Results
**Key NOT found in repository code**
- Searched all files in the repository
- Checked git history for any commits containing the key
- No references to this specific ECDSA key found
### Current SSH Configuration
The repository currently uses a **different SSH key** as documented in `SSH_SETUP.md`:
```
Type: Ed25519 (more secure than ECDSA)
Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEeSLWKibLOYIOA794iClIT7WU/32N1BbfzHR8hopSGG
Comment: jules@google.com
```
This Ed25519 key is configured for:
1. GitHub repository access
2. MQL5 Forge (optional)
3. VPS access (optional)
## Possible Locations of the ECDSA Key
Since the key is not in the repository, it may be configured in one of these locations:
### 1. **GitHub Deploy Keys** (Most Likely)
- Deploy keys are configured in repository settings
- Path: `Settings``Deploy keys`
- These keys are used by GitHub Actions to push to other repositories
- **Action**: Check https://github.com/A6-9V/MQL5-Google-Onedrive/settings/keys
### 2. **Personal SSH Keys on GitHub**
- User-level SSH keys for @mouy-leng's account
- Path: GitHub profile → `Settings``SSH and GPG keys`
- **Action**: Check https://github.com/settings/keys
### 3. **VPS/Server authorized_keys**
- May be configured on a VPS for remote access
- Location on server: `~/.ssh/authorized_keys`
- **Action**: Check VPS if you have one configured
### 4. **GitHub Actions Secrets**
- May be stored as a secret: `SSH_PRIVATE_KEY` or similar
- Path: Repository → `Settings``Secrets and variables``Actions`
- **Action**: Check https://github.com/A6-9V/MQL5-Google-Onedrive/settings/secrets/actions
### 5. **Third-party Services**
- May be configured in:
- Railway.app
- Render.com
- Google Cloud Platform
- Fly.io
- Docker Hub
## Workflows Using SSH
### GitHub Pages Sync Workflow
- **File**: `.github/workflows/github-pages-sync.yml`
- **Method**: Uses HTTPS with `GITHUB_TOKEN` (not SSH)
- **Target**: `Mouy-leng/-LengKundee-mql5.github.io.git`
- **Status**: ✅ Not using the ECDSA key
### OneDrive Sync Workflow
- **File**: `.github/workflows/onedrive-sync.yml`
- **Method**: Uses rclone configuration
- **Status**: ✅ Not using SSH
## Recommendations
### 1. Identify Key Usage
Check the following locations to determine where this key is being used:
```bash
# Check GitHub deploy keys
gh api repos/A6-9V/MQL5-Google-Onedrive/keys
# Check personal SSH keys (requires authentication)
gh api user/keys
```
### 2. Security Best Practices
- **Use Ed25519 instead of ECDSA**: Ed25519 is more secure and efficient
- **Key Rotation**: Regularly rotate SSH keys (every 6-12 months)
- **Remove Unused Keys**: Delete any keys that are no longer needed
- **Use Separate Keys**: Use different keys for different purposes (deploy vs. personal)
### 3. Key Management
If the key is still needed:
- Document its purpose in `SSH_SETUP.md`
- Add it to password manager for backup
- Set calendar reminder for rotation
If the key is not needed:
- Remove it from GitHub deploy keys
- Remove it from personal SSH keys
- Remove it from any VPS authorized_keys
- Remove it from GitHub Actions secrets
### 4. Migration to Ed25519
If this key is still in use, consider migrating to Ed25519:
```bash
# Generate new Ed25519 key
ssh-keygen -t ed25519 -C "your_email@example.com" -f ~/.ssh/id_ed25519_deploy
# Display public key
cat ~/.ssh/id_ed25519_deploy.pub
# Add to GitHub and remove old ECDSA key
```
## Next Steps
1. **Owner Action Required**: @mouy-leng should:
- Check GitHub repository settings for deploy keys
- Check personal GitHub SSH keys
- Check any VPS/server configurations
- Confirm whether this key is still needed
2. **If Key is Found**:
- Document its purpose
- Update `SSH_SETUP.md` with details
- Consider rotating to Ed25519
3. **If Key is Not Found**:
- Key may have been removed already
- No action needed
## References
- [GitHub SSH Key Documentation](https://docs.github.com/en/authentication/connecting-to-github-with-ssh)
- [Ed25519 vs ECDSA](https://security.stackexchange.com/questions/50878/ecdsa-vs-ecdh-vs-ed25519-vs-curve25519)
- Repository SSH Setup: `SSH_SETUP.md`
## Audit Log
| Date | Action | User |
|------|--------|------|
| 2026-02-18 | Initial investigation | GitHub Copilot Agent |
| 2026-02-18 | Key not found in repository | GitHub Copilot Agent |
| 2026-02-18 | Audit document created | GitHub Copilot Agent |
---
**Status**: ⚠️ Awaiting owner verification
**Priority**: Medium (Security review)
Reference in a new issue View git blame Copy permalink