GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops.
A post on GitHub's security blog reveals that the biz has changed its RSA SSH host keys. This is going to cause connection errors, and some frightening warning messages, for a lot of developers, but it's all right: it's not scary hackk0r activity, just plain old human error.
Microsoft subsidiary GitHub is the largest source code shack in the world, with an estimated 100 million active users. So this is going to trip up a lot of people. It's not the end of the world: if you normally push and pull to GitHub via SSH – which most people do – then you will have to delete your local GitHub SSH key, and fetch new ones.
As the blog post describes, the first symptom is an alarming warning message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
For almost everyone, this warning is spurious. It's not that you're being attacked – although that is always a remote (ha ha, only serious) possibility – it's that GitHub revoked its old keys and published new ones.