After unintentionally publishing its private SSH key, GitHub.com rotated it. The software development and version control provider took action out of “an excess of caution” after the private RSA key was briefly exposed. GitHub acknowledged this week that a public GitHub project exposed GitHub.com’s RSA SSH private key in a brief blog post.
“We immediately responded to contain the exposure and began researching to determine the fundamental cause and impact,” writes Mike Hanley, GitHub’s Chief Security Officer and SVP of Engineering. “After 30 minutes, consumers will notice the key replacement. The new key appeared shortly about 02:30 UTC amid preparations for this shift.”
New Findings After GitHub Enabled Secret Scanning
GitHub.com’s latest public key fingerprints are below. These can verify your GitHub SSH connection’s security. Only GitHub.com’s RSA SSH key was replaced. ECDSA/Ed25519 users need no adjustment. “Please note that this problem was not the consequence of any GitHub systems or customer information compromise,” writes GitHub.
Instead, confidential information was accidentally published. The blog article does not specify when and how long the key was exposed, making the timeframe unclear. Security logs and Git commit history can provide such timestamps.
GitHub rotated the key “out of an abundance of caution” despite “no reason to assume” it was abused. Yet, even briefly, rotating a private key after it has been leaked protects users from attackers who could impersonate your server or eavesdrop on their connection.
Hanley said the leaked RSA key does not allow access to GitHub’s infrastructure or customer data. “This modification solely affects SSH-RSA Git activities. HTTPS Git and GitHub.com traffic are unaffected.” Many documentation and software projects, including GitHub, still use the SSH fingerprint of its now-revoked private SSH key:
Projects use GitHub’s outdated SSH RSA key. Users should update their ~/.ssh/known hosts file with GitHub’s updated key fingerprint to avoid SSH security warnings. When warned, users should check their screen fingerprint against GitHub.com’s newest key. Last year, GitHub’s API metadata endpoint exposed its current SSH host keys.
Conclusion
GitHub replaced its RSA SSH host key used to encrypt Git operations “out of an excess of caution” after it was briefly exposed in a public repository. At 05:00 UTC on March 24, 2023, the activity was done to prevent rogue actors from impersonating the service or spying on SSH users. “This key does not enable access to GitHub’s infrastructure or customer data,” wrote Mike Hanley, GitHub’s chief security officer and SVP of engineering. “This modification solely affects SSH-RSA Git activities.” GitHub.com traffic and HTTPS Git activities are unaffected. ECDSA/Ed25519 users need no adjustment.
The Microsoft-owned corporation denied that enemies used the leaked SSH private key.”No GitHub systems or customer information were compromised,” it added. It blamed “inadvertent disclosure of sensitive information.” GitHub Actions users using actions/checkout with the ssh-key option may experience failed workflow runs, and it’s updating the action across all tags. GitHub disclosed nearly two months earlier that unknown threat actors stole encrypted code signing certificates for various versions of GitHub Desktop for Mac and Atom apps.
