GitHub glitch: Private SSH key was publicly visible

The operators of the GitHub version control platform exchanged the RSA SSH host key because the private key appeared to have appeared in a public repository. The incident affects only those who run their Git operations over SSH (Secure Shell) using the RSA cryptographic method, but also shows that the operators can make glitches, which they warn their customers about.

According to GitHub, the company discovered that the RSA SSH private key was briefly found in a public GitHub repository. According to a blog post, it was not an external attack and no customer data was tapped. GitHub has no reason to believe that anyone has misused the exposed key.

Not an attack, just an embarrassing blunder

The operators of the platform suspect that the release of the key was an accident. Unfortunately, it happens again and again that private keys, passwords in plain text or other credentials end up in repositories. This has prompted both GitHub and GitLab to implement safeguards. GitHub first introduced secret scanning for private repositories in early 2021, which detects such credentials. The function is now also available for public repositories.

Earlier this year, the AI ​​code assistant Copilot received a filter designed to recognize hard-coded credentials. Competitor GitLab has been offering the Secret Detection function since early 2019, which was initially limited to the most expensive Ultimate version. It is now also included in the free version with a smaller range of functions. GitHub regularly raises the issue of security and has recently launched the Secure Code Game, which is intended to help developers produce fewer vulnerabilities.

Update for those affected

Most GitHub users are unlikely to notice the key exchange. Only those using SSH with RSA encryption are affected. Those using ECDSA or Ed25519 keys for secure shell access do not need to change them.

Who gets the following error message when connecting via SSH

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.

must first take the old public RSA key with them ssh-keygen -R github.com delete and then either enter a new key manually in the ~/.ssh/known_hosts file or download it via curl:

curl -L  | jq -r '.ssh_keys \
| .()' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

For security reasons, those who do not use it or do not receive an error message should also delete the compromised RSA key.

According to GitHub, the fingerprint for the new key is:

SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s

In addition to those that use RSA directly for SSH, certain GitHub actions that take place using SSH keys can also be affected.

More information about the incident and the countermeasures can be found in the post on the GitHub blog, which, however, does not give any details about when and how long the private key was publicly visible.

(rm)