GitHub authentication process (1)

I recently read "Agile Software development principles, models, and practices" by Uncle Bob. I have a habit of reading technical books: I first read the sample code in the book, understand the functions of code implementation, and then rewrite the code according to my own understanding, finally, compare the differences between your code and the sample code in the book, find out the differences and analyze them based on the author's discussion. These three steps are the process of understanding the author's ideas-> spontaneous thinking-> summarizing and summarizing. You can think and digest the content in the author's book into your own knowledge, not just the book "know.

To facilitate access at home and at home, I used GitHub, which is very popular recently, to save my own practice code. There are a lot of GitHub introductions on the Internet, and the step by step help on the GitHub homepage is also very detailed. Based on these materials, I soon set up the GitHub environment.
GitHub uses SSH to authenticate the client. Set the key first. To set the key, follow these steps:
1. Generate a key pair on the client
$ Ssh-keygen-t rsa-C zhaohuabing@gmail.com
The generated key pair is saved in two files under the. Ssh directory of the local root directory.
Private Key: id_rsa
Public Key: id_rsa.pub
2. Add the public key content to the account settings-> SSH keys on GitHub.

3. Then, you can submit code and update code on GitHub.

I have a disadvantage that when I do something, my attention will be easily attracted by the details related to the thing. If I am interested in the details, it will go deep into the details and often ignore its original purpose. My nickname is: Casual learning. Now I'm curious about GitHub's authentication mechanism. How does GitHub verify that my local computer has operation permissions?
Google is more reliable. I first learned some basic knowledge about the encryption mechanism through these two Google pages.
Introduction to two-key encryption system
Electronic signatures and digital certificates
Obviously, GitHub uses the two-key mechanism during user authentication. In the two-key encryption mechanism, only valid users have private keys, as long as GitHub can prove that the client that submitted the request has the private key when receiving the request, it can be confirmed that the operation was initiated by a legal user.

How can GitHub confirm that the client computer that submitted the request has the private key? I guess this may be a process like this:
1. The client initiates a request to the GitHub host, which contains the GitHub user name.
2. The GitHub host uses the user name to find the Public Key set by the user in account settings.
3. A Random message is generated on the GitHub host, which is encrypted with the user's public key and returned to the client.
4. The client uses the private key to decrypt the information returned by the GitHub host.
5. The client returns the decrypted information to the GitHub host.
6. The GitHub host compares the decryption information returned by the client with the original information. If yes, the local computer has a private key, that is, the client's identity is verified.

There is another question about using this process for verification: GitHub allows users to add multiple public keys to account setting, so in steps 2 and 2, which public key is used by the GitHub host for encryption/decryption? As mentioned above, both the public key and private key are kept in the. Ssh directory of the Local Computer. When logging on to the local computer, you can send your public key and user name together to the GitHub host. The GitHub host finds the public key sent by the Local Computer in all the public keys of the user account setting. If the public key exists, the encrypted information is generated with the public key and returned to the client.

The content in this article is my personal guess. The user authentication mechanism on GitHub is not necessarily handled in this way. If you understand the authentication mechanism of GitHub, please contact me for a discussion.
If this authentication mechanism is used, there is an obvious defect that cannot be used on a development machine shared by many people, because as long as anyone logs on to this computer with a private key, can be used to modify the GitHub code library. I think this should be avoided. In the next article GitHub authentication process (II), we will further discuss this issue.