Search here...
SUBSCRIBE
Security

Can’t log into GitHub? Change your SSH key

Share post:

Howard Solomon
Howard Solomon
1 min.

GitHub was forced to change its RSA SSH key today, after the private key was briefly exposed in a public GitHub repository.

That’s why users who connected today to GitHub.com via SSH got a message when logging in that read, “Warning! Remote Host Identification Has Changed.” The IT administrator has to remove the old key and manually update systems to a new key.

“Out of an abundance of caution we replaced our RSA SSH host key used to secure Git operations for GitHub.com,” the Microsoft-owned platform explained in a blog. “We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”

Only GitHub.com’s RSA SSH key was replaced. No change is required for those who use ECDSA (Elliptic Curve Digital Signature Algorithm) or Ed25519 for their keys.

A brief explanation: RSA is an asymmetric encryption algorithm that uses a key pair for encrypting and decrypting data. A private and public key are created, with the public key being accessible to anyone and the private key known only by the key pair creator. GitHub hasn’t explained how its private key was exposed, but it created a big security hole.

GitHub Actions users may see failed workflow runs if they are using actions/checkout with the ssh-key option, notes the blog. GitHub is updating the actions/checkout action in all supported tags, including @v2, @v3, and @main. Developers who pin the action to a commit SHA and use the ssh-key option will need to update their workflows.

“Human errors happen,” said David Shipley, CEO of New Brunswick’s Beauceron Security. “I’m glad they caught it and took action. Loads of folks, as many as 100 million, use GitHub and while this is an inconvenience, GitHub did the right thing.

“It’s just a good reminder that we’re all one bad Friday away from a code-pocalypse.”

The post Can’t log into GitHub? Change your SSH key first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Podcasts

Cyber Security Today, Week in Review for week ending Friday May 17, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 17th,...
Podcasts

Cyber Security Today, May 17, 2024 – Malware hiding in Apache Tomcat servers

Malware hiding in Apache Tomcat servers, new backdoors found, and more Welcome to Cyber Security Today. It's Friday, May...
Legal

MIT students exploit blockchain vulnerability to steal 25 million dollars

Two MIT students have been implicated in a highly sophisticated cryptocurrency heist, where they reportedly exploited a vulnerability...
Podcasts

Cyber Security Today, May 15, 2024 – Ebury botnet still exploits Linux servers, Microsoft, SAP and Apple issue security updates

The Ebury botnet continues to exploit Linux servers, Microsoft, SAP and Apple issue security updates, and more. Welcome to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways

Subscribe Now

Tech News Day is a daily publication featuring key news stories about technology and how it affects businesses.

Most Popular Categories
Tech News Delivered

New, Relevant Tech Stories. Our selection is done by industry professionals - executives like you who pick the top stories for that day. Our writers summarize them to give you the key takeaways

Subscribe