GitHub's Private RSA SSH Key Mistakenly Exposed in Public RepositoryGitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository
GitHub hastens to replace its RSA SSH host key after an exposure mishap threatens users with man-in-the-middle attacks and organization impersonation.
March 24, 2023

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of the encryption scheme in an open GitHub repository.
While some may jump in alarm, assuming that the private keys were exposed due to the malicious intent of a threat actor, in truth, this occurred because of human error. There are private and public versions of SSH keys, and though public keys can be shared or published, it's essential that private keys are kept ... well, private. Though GitHub has not disclosed who published the keys or where they were published, administrators posted on their blog explaining the situation.
"This week, we discovered that GitHub.com's RSA SSH private key was briefly exposed in a public GitHub repository. We immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next thirty minutes," GitHub stated in the blog post.
GitHub replaced the RSA SSH host key to protect their users from the possibility that an adversary had seen the private key. Threat actors could use it to monitor users' operations or impersonate GitHub for follow-on attacks.
The blog post explained that the change does not affect any customer data, requires no change for ECDSA or Ed25519, or the infrastructure of GitHub — only the operations "over SSH using RSA."
If users see a warning message, they'll need to remove old keys by way of three options: manually updating the file to remove the old entry; running a new command that GitHub listed on its blog; or via automatic updates if those are turned on. Once users see the fingerprint that reads "SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s," they will have verified that their hosts are connected to the new RSA SSH key.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods
Oct 26, 2023Modern Supply Chain Security: Integrated, Interconnected, and Context-Driven
Nov 06, 2023How to Combat the Latest Cloud Security Threats
Nov 06, 2023Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and Phishing
Nov 01, 2023SecOps & DevSecOps in the Cloud
Nov 06, 2023