GitHub Proactively Replaces Exposed RSA SSH Host Key to Safeguard Git Operations

GitHub swiftly replaced its RSA SSH host key today after discovering it was briefly exposed in a public repository. Fear not, as the key switch doesn’t affect GitHub’s infrastructure or customer data, and only impacts Git operations over SSH using RSA. HTTPS Git operations and web traffic remain unaffected.

The exposure wasn’t due to a compromise but rather an inadvertent publishing of private information. GitHub took action out of caution, and there’s no evidence of the exposed key being misused.

If you’re using ECDSA or Ed25519 keys, no action is needed. However, if you encounter a warning message while connecting to GitHub.com via SSH, follow the provided steps to remove the old key and add the new one. GitHub Actions users should take note of potential failed workflow runs and update their workflows accordingly:

For further details, consult GitHub’s official documentation on SSH public key fingerprints.