GitHub Replaces RSA SSH Host Key After Exposure in Public Repository

GitHub Replaces RSA SSH Host Key After Exposure in Public Repository

GitHub, the cloud-based repository hosting service, has announced that it has replaced its RSA SSH host key used to secure Git operations for The move was made after the key was briefly exposed in a public GitHub repository. The key replacement was carried out to prevent any bad actors from impersonating the service or eavesdropping on users' operations over SSH. It is important to note that this key does not grant access to GitHub's infrastructure or customer data, and that web traffic to and Git operations performed via HTTPS are not affected.

The activity was carried out at 05:00 UTC on March 24, 2023, and the company stated that there is no evidence that the exposed SSH private key was exploited by adversaries. The Microsoft-owned company emphasized that the "issue was not the result of a compromise of any GitHub systems or customer information." Instead, it was blamed on the inadvertent publishing of private information.

According to Mike Hanley, chief security officer and SVP of engineering at GitHub, the change only impacts Git operations over SSH using RSA. ECDSA or Ed25519 users do not need to make any changes. However, GitHub Actions users who use actions/checkout with the ssh-key option may see failed workflow runs, and the company is in the process of updating the action across all tags.

This disclosure comes after GitHub revealed that unknown threat actors exfiltrated encrypted code signing certificates for some versions of GitHub Desktop for Mac and Atom apps two months ago.

If you are using the ECDSA or Ed25519 keys, no change is required, and no action is needed. However, if you receive a warning message that the remote host identification has changed, you will need to remove the old key by running a command and then add the new RSA SSH public key entry to your ~/.ssh/known_hosts file.

In conclusion, GitHub has taken proactive steps to ensure the security of its users' Git operations over SSH by replacing its RSA SSH host key. This move serves as a reminder of the importance of regularly reviewing and updating security measures to prevent any unauthorized access or exposure of sensitive information.