Search code examples
gitgithubsshssh-keys

Why are connections to GitHub over SSH throwing an error "Warning: Remote Host Identification Has Changed"?


Just sometime ago I started getting this warning when pushing to GitHub.

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.

Is this normal and how do I resolve it?


Solution

  • This happened because on the 24th of March 2023, GitHub updated their RSA SSH host key used to secure Git operations for GitHub.com because the private key was briefly exposed in a public GitHub repository. You will get that message if you had remembered GitHub’s previous key fingerprint in your SSH client before that date.

    As per per the linked blog post, the solution is to remove the old key by running this command:

    $ ssh-keygen -R github.com
    

    Now the next git connection (pull, push or clone) should ask if you trust the new SSH key. Before entering yes, ensure the shown new key is valid, using the list:

    https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

    Refer to the blog post for other ways to fix the issue.