After accidentally publishing its private SSH key for the main Github site in a public repository, Github has acknowledged the error in a blog and announced that it’ll be rotating the key. The announcement claims that the key was only briefly exposed but the rotation is being done out of an abundance of caution.
The key was replaced at approximately 05:00 UTC on March 24. The change only impacts Git operations over SSH and RSA and web traffic to the Github website and HTTPS Git operations aren’t affected. Additionally, since only the RSA SSH key was replaced, no change is required for ECDSA or Ed25519 users.
The blog, written by Mike Hanley, Github’s chief security officer and SVP of engineering, clearly states that the key being published publicly wasn’t a result of a compromise of Github systems or customer information. Instead, it’s believed to “be an inadvertent publishing of private information”. There’s also no evidence to suggest that the exposed key was abused.
The blog also didn’t announce when exactly the key was exposed, and for how long. The timing for the exposure is also interesting as Github started rolling out secrets scanning for all public repositories just a few weeks ago.
While Github may have changed the RSA SSH key, a number of documentation pages and software projects including some by Github itself are still using the SSH fingerprint of the old key. You can use the latest public key fingerprints as mentioned below to validate that your SSH connection to Github servers is secure.
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s (RSA) SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA - deprecated) SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM (ECDSA) SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)
Users are advised to update their ~/.ssh/known_hosts file with the new key fingerprint to avoid seeing security warnings during SSH connections. All of Github’s SSH host keys are also published on its API metadata endpoint.
In the News: OpenAI brings plugin support to ChatGPT