Skip to content

GitHub rotates exposed SSH key to protect users

  • by
  • 2 min read

After accidentally publishing its private SSH key for the main Github site in a public repository, Github has acknowledged the error in a blog and announced that it’ll be rotating the key. The announcement claims that the key was only briefly exposed but the rotation is being done out of an abundance of caution.

The key was replaced at approximately 05:00 UTC on March 24. The change only impacts Git operations over SSH and RSA and web traffic to the Github website and HTTPS Git operations aren’t affected. Additionally, since only the RSA SSH key was replaced, no change is required for ECDSA or Ed25519 users.

The blog, written by Mike Hanley, Github’s chief security officer and SVP of engineering, clearly states that the key being published publicly wasn’t a result of a compromise of Github systems or customer information. Instead, it’s believed to “be an inadvertent publishing of private information”. There’s also no evidence to suggest that the exposed key was abused. 

GitHub stores 21TB of open source code in Arctic Code Vault

The blog also didn’t announce when exactly the key was exposed, and for how long. The timing for the exposure is also interesting as Github started rolling out secrets scanning for all public repositories just a few weeks ago. 

While Github may have changed the RSA SSH key, a number of documentation pages and software projects including some by Github itself are still using the SSH fingerprint of the old key. You can use the latest public key fingerprints as mentioned below to validate that your SSH connection to Github servers is secure. 

SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s (RSA)
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA - deprecated)
SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM (ECDSA)
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)

Users are advised to update their ~/.ssh/known_hosts file with the new key fingerprint to avoid seeing security warnings during SSH connections. All of Github’s SSH host keys are also published on its API metadata endpoint

In the News: OpenAI brings plugin support to ChatGPT

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>