Search here...
SUBSCRIBE
Security

Can’t log into GitHub? Change your SSH key

Share post:

Howard Solomon
Howard Solomon
1 min.

GitHub was forced to change its RSA SSH key today, after the private key was briefly exposed in a public GitHub repository.

That’s why users who connected today to GitHub.com via SSH got a message when logging in that read, “Warning! Remote Host Identification Has Changed.” The IT administrator has to remove the old key and manually update systems to a new key.

“Out of an abundance of caution we replaced our RSA SSH host key used to secure Git operations for GitHub.com,” the Microsoft-owned platform explained in a blog. “We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”

Only GitHub.com’s RSA SSH key was replaced. No change is required for those who use ECDSA (Elliptic Curve Digital Signature Algorithm) or Ed25519 for their keys.

A brief explanation: RSA is an asymmetric encryption algorithm that uses a key pair for encrypting and decrypting data. A private and public key are created, with the public key being accessible to anyone and the private key known only by the key pair creator. GitHub hasn’t explained how its private key was exposed, but it created a big security hole.

GitHub Actions users may see failed workflow runs if they are using actions/checkout with the ssh-key option, notes the blog. GitHub is updating the actions/checkout action in all supported tags, including @v2, @v3, and @main. Developers who pin the action to a commit SHA and use the ssh-key option will need to update their workflows.

“Human errors happen,” said David Shipley, CEO of New Brunswick’s Beauceron Security. “I’m glad they caught it and took action. Loads of folks, as many as 100 million, use GitHub and while this is an inconvenience, GitHub did the right thing.

“It’s just a good reminder that we’re all one bad Friday away from a code-pocalypse.”

The post Can’t log into GitHub? Change your SSH key first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Podcasts

Cyber Security Today, May 3, 2024 – North Korea exploits weak email DMARC settings, and the latest Verizon analysis of thousands of data breaches

This episode reports on warnings about threats from China, Russia and North Korea, the hack of Dropbox Sign's infrastructure
Podcasts

Hashtag Trending for World Password Day, Thursday, May 2nd, 2024

Security firm Okta warns of an unprecendented password stuffing attack that is piggybacking on regular user’s mobile and...
Security

Google Chrome’s new post-quantum cryptography causes connection issues

The latest update to Google Chrome, version 124, which integrates a new quantum-resistant encryption mechanism, has led to...
Security

UK legislation bans weak passwords

Starting Monday, the UK will enforce new laws banning the sale of devices with weak default passwords such...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways

Subscribe Now

Tech News Day is a daily publication featuring key news stories about technology and how it affects businesses.

Most Popular Categories
Tech News Delivered

New, Relevant Tech Stories. Our selection is done by industry professionals - executives like you who pick the top stories for that day. Our writers summarize them to give you the key takeaways

Subscribe