GitHub Publishes RSA SSH Host Keys by Mistake, Issues Update
upstart writes:
GitHub publishes RSA SSH host keys by mistake, issues update:
GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops.
A post on Github's security blog reveals that the company has changed its RSA SSH host keys. This is going to cause connection errors, and some frightening warning messages, for a lot of developers, but it's all right: it's not scary cracker activity, just plain old human error.
Microsoft subsidiary GitHub is the largest source code shack in the world, with an estimated 100 million active users. So this is going to inconvenience a lot of people. It's not the end of the world: if you normally push and pull to GitHub via SSH - which most people do - then you will have to delete your local GitHub SSH key, and fetch new ones.
As the blog post describes, the first symptom is an alarming warning message[.]
For almost everyone, this warning is spurious. It's not that you're being attacked - although that is always a remote (ha ha, only serious) possibility - it's that GitHub revoked its old keys and published new ones. Hanlon's Razor applies, as it most often does:
Never attribute to malice that which can be adequately explained by stupidity. (The word stupidity is often replaced with incompetence, but then, one does tend to lead to the other.)
This time, the reason was - as usual - plain old human error. Someone published GitHub's private RSA keys in a repository on GitHub itself. If you're unclear how SSH encryption works, about public versus private keys, or the different cryptographic algorithms SSH uses, there are many good explanations out there.
Read more of this story at SoylentNews.