Can’t log into GitHub? Change your SSH key

GitHub was forced to change its RSA SSH key today, after the private key was briefly exposed in a public GitHub repository.

That’s why users who connected today to GitHub.com via SSH got a message when logging in that read, “Warning! Remote Host Identification Has Changed.” The IT administrator has to remove the old key and manually update systems to a new key.

“Out of an abundance of caution we replaced our RSA SSH host key used to secure Git operations for GitHub.com,” the Microsoft-owned platform explained in a blog. “We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”

Only GitHub.com’s RSA SSH key was replaced. No change is required for those who use ECDSA (Elliptic Curve Digital Signature Algorithm) or Ed25519 for their keys.

A brief explanation: RSA is an asymmetric encryption algorithm that uses a key pair for encrypting and decrypting data. A private and public key are created, with the public key being accessible to anyone and the private key known only by the key pair creator. GitHub hasn’t explained how its private key was exposed, but it created a big security hole.

GitHub Actions users may see failed workflow runs if they are using actions/checkout with the ssh-key option, notes the blog. GitHub is updating the actions/checkout action in all supported tags, including @v2, @v3, and @main. Developers who pin the action to a commit SHA and use the ssh-key option will need to update their workflows.

“Human errors happen,” said David Shipley, CEO of New Brunswick’s Beauceron Security. “I’m glad they caught it and took action. Loads of folks, as many as 100 million, use GitHub and while this is an inconvenience, GitHub did the right thing.

“It’s just a good reminder that we’re all one bad Friday away from a code-pocalypse.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.