GitHub Warning: Remote Host Identification Has Changed!
If you received the following while trying to ssh into your GitHub repo (as I did), don’t panic!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in /Users/<user>/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/<user>/.ssh/known_hosts:13
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
It looks scary doesn’t it?
Here’s what happened: GitHub discovered that its RSA SSH private key was briefly exposed in a public GitHub repo. So yesterday (at 05:00 UTC 24th March 2023) it changed its RSA SSH host key.
The instructions on how to update your local .ssh/known_hosts is in the link above. The easiest method is to remove the old key with:
% ssh-keygen -R github.com
And when you attempt to ssh in again, you will get the usual first-time-handshake message that the key is not known and “are you sure you want to continue?”. Replying “Yes” will add the new RSA SSH key.
Or you could automatically update it after the removal command above with:
% curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts
Note: you should copy the command from the link I provided above rather than my example for hygiene.