The repository hosting service GitHub has announced it is replacing its existing RSA SSH host key with a new one as a precautionary measure after discovering the key was momentarily exposed in a public repository.
“We immediately acted to contain the exposure and began investigating to understand the root cause and impact,” GitHub wrote in an article published on its site earlier today. “We have now completed the key replacement, and users will see the change propagate over the next thirty minutes.”
The company explained the change was made to protect users’ Git operations over SSH, particularly from potential threat actors attempting to impersonate GitHub or eavesdrop on their actions. At the same time, they clarified the move did not stem from a compromise of GitHub systems or customer information.
“Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information,” wrote GitHub CSO, Mike Hanley. “We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution.”
SSH host keys are tokens used to authenticate the server and protect both the confidentiality and integrity of communication between the client and the server.
“This key does not grant access to GitHub’s infrastructure or customer data,” said Hanley. “This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.”
Further, the company added that only GitHub.com’s RSA SSH key was replaced, while no change is required for ECDSA or Ed25519 users.
The replacement of the GitHub RSA SSH host key comes a couple of months after the company confirmed threat actors stole three digital certificates used for its Desktop and Atom applications.
Editorial image credit: Poetra.RH / Shutterstock.com