[GRASS-dev] Fwd: [PROJ] GitHub changed their RSA SSH host key

Markus Neteler neteler at osgeo.org
Sun Mar 26 08:18:49 PDT 2023 

FYI - if you try to push to GitHub and see something like

git push origin citation_cff
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
...

you need to do

ssh-keygen -R github.com

git push ... again

Next make sure (!) that the new fingerprint in the message matches one
of the three from
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

If so, confirm with "yes" the prompt and you are settled.

Markus

---------- Forwarded message ---------
From: Laurențiu Nicola via PROJ <proj at lists.osgeo.org>
Date: Fri, Mar 24, 2023 at 11:10 AM
Subject: Re: [PROJ] GitHub changed their RSA SSH host key
To: <proj at lists.osgeo.org>


Hi,

I believe not, but existing contributors to repositories on GitHub who
use SSH might get an warning when trying to push or pull from the
remote.

The correct action is to run ssh-keygen -R github.com, then try again,
and confirming the prompt after making sure that the new fingerprint
matches one of the three from
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints.

Laurentiu

On Fri, Mar 24, 2023, at 12:01, Javier Jimenez Shaw wrote:

Hi

In case you use GitHub (for PROJ or anything else) this may be
interesting for you:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

First paragraph:

At approximately 05:00 UTC on March 24, out of an abundance of
caution, we replaced our RSA SSH host key used to secure Git
operations for GitHub.com. We did this to protect our users from any
chance of an adversary impersonating GitHub or eavesdropping on their
Git operations over SSH. This key does not grant access to GitHub’s
infrastructure or customer data. This change only impacts Git
operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git
operations are not affected.

Is there action needed in OSGeo repos?

Cheers,
Javier.

.___ ._ ..._ .. . ._.  .___ .. __ . _. . __..  ... .... ._ .__
_______________________________________________
PROJ mailing list
PROJ at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/proj

More information about the grass-dev mailing list