GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of the encryption scheme in an open GitHub repository.
While some may jump in alarm, assuming that the private keys were exposed due to the malicious intent of a threat actor, in truth, this occurred because of human error. There are private and public versions of SSH keys, and though public keys can be shared or published, it's essential that private keys are kept ... well, private. Though GitHub has not disclosed who published the keys or where they were published, administrators posted on their blog explaining the situation.
"This week, we discovered that GitHub.com's RSA SSH private key was briefly exposed in a public GitHub repository. We immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next thirty minutes," GitHub stated in the blog post.
GitHub replaced the RSA SSH host key to protect their users from the possibility that an adversary had seen the private key. Threat actors could use it to monitor users' operations or impersonate GitHub for follow-on attacks.
The blog post explained that the change does not affect any customer data, requires no change for ECDSA or Ed25519, or the infrastructure of GitHub — only the operations "over SSH using RSA."
If users see a warning message, they'll need to remove old keys by way of three options: manually updating the file to remove the old entry; running a new command that GitHub listed on its blog; or via automatic updates if those are turned on. Once users see the fingerprint that reads "SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s," they will have verified that their hosts are connected to the new RSA SSH key.