Some GitHub users must take action after RSA SSH host key exposed

Some GitHub users will have to make changes to their terminal code after the platform replaced its RSA SSH host key after it was exposed.

The key was only "briefly exposed" in a public GitHub repository, it said, but took the measure to replace the key "out of an abundance of caution".

Mike Hanley, CSO and SVP of engineering at GitHub, assured users that GitHub’s systems haven’t been compromised, but that the key was exposed due to “an inadvertent publishing of private information”.

“We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH,” Hanley said in a blog post.

“This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”

Secure Shell (SSH) keys are used in the SSH protocol as an access credential. It allows users to securely access network resources, including servers, and use them as if they were local machines.

Host keys are unique to each SSH client and if one was stolen and then abused, attackers could perform man in the middle (MITM) attacks to access user passwords or execute commands.

GitHub said that only the RSA SSH key was replaced, and users who rely on ECDSA or Ed25519 keys don’t need to make any changes.

However, GitHub users who see the message “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!” when connecting to GitHub.com through SSH will have to make some changes.

Users need to remove the old SSH key by running the command '$ ssh-keygen -R github.com'.

Alternatively, they can also update their ~/.ssh/known_hosts file manually to get rid of the old key, and add the new one by inserting a new line that can be found in the company’s blog post.

Another method users can deploy is automatically updating the key in their ~/.ssh/known_hosts by running specific code in their terminal, which can also be found on GitHub’s blog post.

“This is maybe as bad as Heartbleed,” said Daniel Feldman, cloud security architect for HPE on Twitter.

"Everything was exposed, across many platforms and services, retroactively going back some period of time (we’re not sure how long yet).

“Like Heartbleed, it will be very difficult to prove whether or not someone actually used the exploit. They just might have.”

Heartbleed was a security bug introduced into the OpenSSL cryptography library in 2012 but only disclosed in 2014. The vulnerability allowed potential hackers to read the memory of websites affected with the bug, opening the possibility for cyber criminals to discover encryption keys.

In October 2021, GitHub revoked all SSH keys used in its GUI client GitKraken after it discovered that the software client was generating weak SSH keys.

GitKraken disclosed the flaw, detailing that weak keys could lead to a higher probability of key duplication. GitHub notified users whose keys had been revoked, and recommended developers to review SSH keys linked to GitHub accounts.