News

GitHub rotates ssh key after private key accidentally appeared public

By admin
Spread the love

GitHub had to replace its own private ssh key after the platform accidentally put it in a public repository. As a result, many users have problems connecting correctly to their own repos.

GitHub writes in a short blog post that it replaced the ssh key. The key, an RSA key, was used to establish encrypted Git connections to GitHub.com. By taking over the key, an attacker could spoof a connection to GitHub.com so that users would send files via Git to a fake server.

GitHub gives few details about exactly what happened. The platform says the private key was public in a public GitHub repo for “a short while”. It is unknown which repo that was and how long the key was visible there. GitHub says there is “no reason to believe the key has been misused.” By now the key would have been rotated. It only concerns the RSA ssh key. Ecdsa or Ed25519 users will not be affected by the change, as those keys were not public.

Users who have a GitHub repo and update it through Git should rotate their keys and add the fingerprint SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s to their host files. Because GitHub’s key has been rotated, ssh users automatically get a warning when they connect that the key has changed. GitHub has posted instructions online on how to modify the known_hosts file.

You might also like
News

Android 14 beta brings support for a desktop mode

News

Good news for TSMC: its 3nm node will take flight in 2024 thanks to the push of these…

News

The most boring technology of the 21st century: Intel has only grown 5% since 2000

News

Google Password Manager can start sharing passwords with partners or children

News

PlayStation 5 beta update improves audio from DualSense controller

News

Rumor: Android 15 puts apps in ‘edge-to-edge’ mode by default