top of page

GitHub Replaces RSA SSH Host Key After Brief Exposure

GitHub is a cloud-based repository hosting service that took the step of replacing its RSA SSH host key used to secure Git operations. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH. This key does not grant access to GitHub's infrastructure or customer data, according to Mike Hanley, chief security officer and SVP of engineering at GitHub. The move does not impact Web traffic to and Git operations performed via HTTPS. No change is required for ECDSA or Ed25519 users. The Microsoft-owned company said there is no evidence that the exposed SSH private key was exploited by adversaries. It further emphasized that the "issue was not the result of a compromise of any GitHub systems or customer information." It blamed it on an "inadvertent publishing of private information." It also noted GitHub Actions users may see failed workflow runs if they are using actions/checkout with the ssh-key option, adding it's in the process of updating the action across all tags.


bottom of page