[dlgeek]

If an attacker has access to the private key, they could use the Host-key rotation feature to migrate you to an attacker-controlled key instead, as the old key is trusted. So, GitHub needs everyone to forcibly untrust the old (exposed) key.

[pquerna]

Yeah, but... shouldn't Github of rotated their keys over the last decade?

I mean it seems like its clearly a key that wasn't in an HSM.. and over the lifetime, hundreds? Thousands of Github employees could of accessed it?

[kelnos]

The problem with rotating this particular private key is that it's incredibly disruptive. Everyone who uses GH will see a big scary message from ssh saying the host key changed and something malicious might be going on. A majority of those people probably won't have seen a blog post announcing the change beforehand.

Anyone who's baked the host key in the known_hosts file that gets shipped on their CI systems would start to see jobs failing, and have to manually fix it up with the new host key.

These things are just annoying enough that I think it's perfectly understandable that GH doesn't want to regularly rotate this private key.

[computerfriend]

The point of host-key rotation is that you can avoid the disruption of the former.

[p1mrx]

Congrats, you just used "would of", "should of", and "could of" in a single thread.

[rocqua]

Host-key rotation would enable the attacker to continue, but the attacker could be detected simply by diligent people monitoring the github key they use.

The current rotation allows anyone to try to fish the lazy users (like me probably) who will just trust on first use. Probably a bigger risk than key compromise, since they have logs.

It could be a better idea to use Host-key rotation, despite it making the life of a key-thief a bit easier. Just because it exposes people less against opportunistic impersonators.