Any chance of Canadian applicants in future?

Hello robbat2, there are some options available for folks not in the USA or Greece. We are most interested in finding the right people than their locations. I'd recommend you go ahead and apply. Feel free to also reach out directly at careers@tiledb.com.

1. IIRC UpdateHostKeys does not remove the old key, so it would still be there, lurking (I haven't checked the code).

2. It was only added in OpenSSH 6.8, so it missed Ubuntu 14.04 release, and only really turned up in 16.04 LTS that way, plenty of old systems it wouldn't work on.

As other posters noted, a bad actor could rotate the key to their chosen keys just as easily as GitHub could cause the rotation.

I just tested it and looked at the code briefly; the client fortunately does seem to remove all keys not provided by the server: https://github.com/openssh/openssh-portable/blob/36c6c3eff5e...

It seems like at least a `known_hosts` compromise would be "self-healing" after connecting to the legitimate github.com server once.

Start protecting yourself from a potential MITM better, mark the key as revoked. Hopefully distributions & OpenSSH upstream can start shipping this by default.

(sorry, the comments are mangling this, clean version at https://gist.github.com/robbat2/b456f09b7799f4dafe24115095b8...)

``` # You might need to insert this in a slightly different place cat >>/etc/ssh/ssh_config <<EOF Host * RevokedHostKeys /etc/ssh/ssh_revoked_hosts EOF

cat >>/etc/ssh/ssh_revoked_hosts <<EOF # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-k... ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== EOF ```

Just in case anyone is paranoid that this comment has the right key, you can generate a fingerprint with

    $ ssh-keygen -lf github.old.pub
    2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 no comment (RSA)

and you'll notice that fingerprint is on this archived page

https://web.archive.org/web/20230320230907/https://docs.gith...

(please check my work on your own machines and don't take my attestation on faith!)

Thank you - TIL about ssh key revocation (I was aware of them, but haven't really used them).

I expanded on your gist:

https://gist.github.com/e12e/0c1868479c0b8d0a52914d44be66d76...

You can do verbatim formatting on HN by placing 4 spaces. See https://news.ycombinator.com/formatdoc

Thanks for the gist though, seems helpful!

Anyone finding the same thing I am?

RevokedHostKeys doesn't accept ~ for your home directory... while things like ControlPath will.

I'd rather confine this to my account, but I either have to use a relative path that doesn't always work... or a fully qualified path that includes my username (and may change)