GitHub was forced to change its RSA SSH key today, after the private key was briefly exposed in a public GitHub repository.
That’s why users who connected today to GitHub.com via SSH got a message when logging in that read, “Warning! Remote Host Identification Has Changed.” The IT administrator has to remove the old key and manually update systems to a new key.
“Out of an abundance of caution we replaced our RSA SSH host key used to secure Git operations for GitHub.com,” the Microsoft-owned platform explained in a blog. “We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”
Only GitHub.com’s RSA SSH key was replaced. No change is required for those who use ECDSA (Elliptic Curve Digital Signature Algorithm) or Ed25519 for their keys.
A brief explanation: RSA is an asymmetric encryption algorithm that uses a key pair for encrypting and decrypting data. A private and public key are created, with the public key being accessible to anyone and the private key known only by the key pair creator. GitHub hasn’t explained how its private key was exposed, but it created a big security hole.
GitHub Actions users may see failed workflow runs if they are using
actions/checkout with the
ssh-key option, notes the blog. GitHub is updating the
actions/checkout action in all supported tags, including @v2, @v3, and @main. Developers who pin the action to a commit SHA and use the
ssh-key option will need to update their workflows.
“Human errors happen,” said David Shipley, CEO of New Brunswick’s Beauceron Security. “I’m glad they caught it and took action. Loads of folks, as many as 100 million, use GitHub and while this is an inconvenience, GitHub did the right thing.
“It’s just a good reminder that we’re all one bad Friday away from a code-pocalypse.”