Search code examples
githubssh-keysrsa-key-fingerprint

Key fingerprint mismatch on terminal and Github account

I added an SSH key to my GitHub. I run ssh -T [email protected] to check if I set it up correctly. The key fingerprint that showed up on terminal was:

The authenticity of host 'github.com (140.82.113.3)' can't be established. ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])?

The SHA256 key is different from the SSH authentication key I have added to my GitHub account. Mine is SHA256:7K+.... What does this mean? Do I have to correct anything?

I tried the following

  • deleting my SSH key on GitHub
  • generated a new SSH key
  • added new SSH key to the SSH agent
Solution

  • Unlike with an HTTPS web site, most SSH servers don't have certificate authorities; instead, the first time you connect to them, you need to verify the host key they present, which verifies their identity, using an external source.

    The host key presented by the server is different from your SSH key because the host keys are owned by the server and are used to verify its identity, and your SSH key is owned by you and used to verify your identity. Typically, both are used in order to secure the connection, although sometimes only a host key is used, and a username and password (or other credentials) are used instead.

    In this case, the fingerprint you're getting is for GitHub's Ed25519 key. We can look for this information on their web site or in their API (for programmatic access), and find these values (the DSA key is omitted because it's no longer used):

    • SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s (RSA)
    • SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM (ECDSA)
    • SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)

    All of these are valid host keys for GitHub, and which one is used depends on the settings you have enabled. Most new versions of OpenSSH prefer the Ed25519 key, which is the one in use here. Because the fingerprint matches, you can validate that the key is correct, and it's safe to continue connecting. OpenSSH will then save that key on your system and notify you if it changes, which would indicate that either GitHub changed their key, or that an attacker was attempting to intercept your connection.

    If none of the fingerprints matched, then you'd know your connection was being intercepted, and you should refuse the connection.