https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

 / Blog

  * Engineering
  * Product
  * Security
  * Open Source
  * Enterprise
  * Changelog
  * Community
  * Education
  * Company
  * Policy

Free trial Contact sales  
Search by Keyword
[                    ]
Search
  * Security

We updated our RSA SSH host key

At approximately 05:00 UTC on March 24, out of an abundance of
caution, we replaced our RSA SSH host key used to secure Git
operations for GitHub.com.

We updated our RSA SSH host key
Author
Mike HanleyMike Hanley
March 23, 2023

  *  
  *  
  *  

At approximately 05:00 UTC on March 24, out of an abundance of
caution, we replaced our RSA SSH host key used to secure Git
operations for GitHub.com. We did this to protect our users from any
chance of an adversary impersonating GitHub or eavesdropping on their
Git operations over SSH. This key does not grant access to GitHub's
infrastructure or customer data. This change only impacts Git
operations over SSH using RSA. Web traffic to GitHub.com and HTTPS
Git operations are not affected.

Only GitHub.com's RSA SSH key was replaced. No change is required for
ECDSA or Ed25519 users. Our keys are documented here.

What happened and what actions have we taken? 

This week, we discovered that GitHub.com's RSA SSH private key was
briefly exposed in a public GitHub repository. We immediately acted
to contain the exposure and began investigating to understand the
root cause and impact. We have now completed the key replacement, and
users will see the change propagate over the next thirty minutes.
Some users may have noticed that the new key was briefly present
beginning around 02:30 UTC during preparations for this change.

Please note that this issue was not the result of a compromise of any
GitHub systems or customer information. Instead, the exposure was the
result of what we believe to be an inadvertent publishing of private
information. We have no reason to believe that the exposed key was
abused and took this action out of an abundance of caution.

What you can do 

If you are using our ECDSA or Ed25519 keys, you will not notice any
change and no action is needed.

If you see the following message when connecting to GitHub.com via
SSH, then read onward.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.

If you see the above message, you'll need to remove the old key by
running this command:

$ ssh-keygen -R github.com

Or manually updating your ~/.ssh/known_hosts file to remove the old
entry.

Then, you can manually add the following line to add the new RSA SSH
public key entry to your ~/.ssh/known_hosts file:

github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=

Or automatically update GitHub.com's RSA SSH key in your ~/.ssh/
known_hosts, by running the following in your terminal:

$ ssh-keygen -R github.com
$ curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

You can verify that your hosts are connecting via our new RSA SSH key
by confirming that you see the following fingerprint:

 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s

GitHub Actions users may see failed workflow runs if they are using
actions/checkout with the ssh-key option. We are updating the actions
/checkout action in all our supported tags, including @v2, @v3, and
@main. If you pin the action to a commit SHA and use the ssh-key
option, you'll need to update your workflow. You can read more about
this process in our official documentation for Actions security
hardening.

For more information, please visit our official documentation on
GitHub's SSH public key fingerprints.

The GitHub Insider Newsletter

Get the best of GitHub. Once a month. Directly to your inbox.

Subscribe

Related posts

Build a secure code mindset with the GitHub Secure Code Game
Education

Build a secure code mindset with the GitHub Secure Code Game

Writing secure code is as much of an art as writing functional code,
and it is the only way to write quality code. Learn how our Secure
Code Game can provide you with hands-on training to spot and fix
security issues in your code so that you can build a secure code
mindset.

Joseph Katsioloudes
Introducing GitHub vulnerability management integrations for security
professionals
Product

Introducing GitHub vulnerability management integrations for security
professionals

Learn about using GitHub Advanced Security alerts with vulnerability
management tools. Check out the integrations and learn about how to
get started.

Alexander De Michieli & Griffin Ashe
Raising the bar for software security: GitHub 2FA begins March 13
Policy

Raising the bar for software security: GitHub 2FA begins March 13

On March 13, we will officially begin rolling out our initiative to
require all developers who contribute code on GitHub.com to enable
one or more forms of two-factor authentication (2FA) by the end of
2023. Read on to learn about what the process entails and how you can
help secure the software supply chain with 2FA.

Laura Paine & Hirsch Singhal

Explore more from GitHub

Security

Security

Secure platform, secure data. Everything you need to make security
your #1.
Learn more
Join GitHub Galaxy

Join GitHub Galaxy

Register now for our global enterprise event on March 28-31.
Register now
GitHub Advanced Security

GitHub Advanced Security

Secure your code without disrupting innovation.
Learn more
Work at GitHub!

Work at GitHub!

Check out our current job openings.
Learn more

Subscribe to The GitHub Insider

A newsletter for developers covering techniques, technical guides,
and the latest product innovations coming from GitHub.

[                    ]
Subscribe
[ ] Yes please, I'd like GitHub and affiliates to use my information
for personalized communications, targeted advertising and campaign
effectiveness. See the GitHub Privacy Statement for more details.
Subscribe
 

Product

  * Features
  * Security
  * Enterprise
  * Customer Stories
  * Pricing
  * Resources

Platform

  * Developer API
  * Partners
  * Atom
  * Electron
  * GitHub Desktop

Support

  * Docs
  * Community Forum
  * Training
  * Status
  * Contact

Company

  * About
  * Blog
  * Careers
  * Press
  * Shop

  * GitHub on Twitter
  * GitHub on Facebook
  * GitHub on YouTube
  * GitHub on Twitch
  * GitHub on TikTok
  * GitHub on LinkedIn
  * GitHub's organization on GitHub

  * (c) 2023 GitHub, Inc.
  * Terms
  * Privacy