GitHub has rotated its private SSH key for GitHub.com after the secret was accidentally published in a public GitHub repository.
The software development and version control service says the private RSA key was only “briefly” exposed but that it took action out of “an abundance of caution.”
The unclear window of exposure
In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository.
“We immediately acted to contain the exposure and began investigating to understand the root cause and impact,” writes Mike Hanley, GitHub’s Chief Security Officer and SVP of Engineering.
“We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change.”
The timing of the discovery is interesting—just weeks after GitHub rolled out secrets scanning for all public repos.
GitHub.com’s latest public key fingerprints are shown below. These can be used to validate that your SSH connection to GitHub’s servers is indeed secure.
As some may notice, only GitHub.com’s RSA SSH key has been impacted and replaced. No change is required for ECDSA or Ed25519 users.
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s (RSA)
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA – deprecated)
SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM (ECDSA)
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)
“Please note that this issue was not the result of a compromise of any GitHub systems or customer information,” says GitHub.
“Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information.”
The blog post, however, does not answer when exactly the key was exposed and for how long, making the timeline of exposure a bit murky. Such timestamps can typically be ascertained from security logs—should these be available, and Git commit history.
GitHub further states it has “no reason to believe” that the exposed key was abused and rotated the key “out of an abundance of caution.”
But, rotating a private key once it has been leaked, no matter how ‘briefly,’ is anyway a necessary step to protect users from adversaries who could potentially impersonate your server or eavesdrop on a user’s connection.
The exposed RSA key in question does not grant access to GitHub’s infrastructure or customer data, Hanley has clarified.
“This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”
Double-check that fingerprint
Although GitHub has changed the private SSH keys, multiple docs and software projects, including those by GitHub, continue to use the SSH fingerprint of its now-revoked key:
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
As such, users should update their ~/.ssh/known_hosts file with GitHub’s new key fingerprint; otherwise, they may see security warnings when making SSH connections. When receiving such warnings, users should ensure the fingerprint seen on their screen matches the one for GitHub.com’s latest key.
As of last year, GitHub’s up-to-date SSH host keys are also published to its API metadata endpoint.