WingNews logo WingNews
top | item 35285994

(no title)

gassius | 2 years ago

Actually I am not seeing the fingerprint they announce in the blogpost

When I tried to pull from my repo I got the warning message, right

I removed the old keys with ssh-keygen -R github.com

Then, trying with `ssh -T git@github.comp` I see this

The authenticity of host 'github.com (140.82.121.3)' can't be established. ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.

So, first thing of course, is that the fingerprint does not match the one in the blogpost which is SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s

Second problem, is that ip 140.82.121.3 seems to be reported as HIGH RISK[0]

So basically, how should I proceed? I am not security expert but I would say I am not an illiterate on this, and I have no idea. I guess the majority of users would you accept the new key, but is this the right move? I would need to do it if I want to do some work, that is for sure

EDIT: Formatting

[0]https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test...

discuss

order

nneonneo|2 years ago

You’re looking at the fingerprint of the ECDSA key; only the RSA key was replaced (and only the new RSA key’s fingerprint is in the blogpost). Check https://docs.github.com/en/authentication/keeping-your-accou... for the full list: the key you’re seeing is listed, so you should be fine.

rjmunro|2 years ago

They really should add all the keys to the blogpost so that people can check quickly that the new key is correct.

gassius|2 years ago

Thank you. It makes sense

mdrain18|2 years ago

I'm still having this problem. Here is my known_hosts file: github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=

I get this error each time I interact with Github: The authenticity of host 'github.com (140.82.112.3)' can't be established. ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.

When I type 'yes' I get this added to my host file: 楧桴扵挮浯ㄬ〴㠮⸲ㄱ⸲″捥獤ⵡ桳㉡渭獩灴㔲‶䅁䅁㉅橖䡚桎塌潎呙瑉浢穬䡤祁呎䅙䅁䥁浢穬䡤祁呎䅙䅁䉂䕂䭭䕓橎䕑穥浏歸䵚㝹灯杋䙷㥂歮㕴剙奲橍畎㕇㡎男杒㙧䱃扲㕯䅷呤礯瘶洰噋唰眲地㉚䉙⬯含潰正㵧

gassius|2 years ago

And sorry to reply to myself but this is not great at all

I manually added the new RSA SSH public key entry to my known_hosts file (like they say in the blogpost)

Then ran ssh -T git@github.com and got

Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts. Hi gassius! You've successfully authenticated, but GitHub does not provide shell access.

Then, when trying a git pull, I got this:

Warning: the RSA host key for 'github.com' differs from the key for the IP address '140.82.121.4' Offending key for IP in ~/.ssh/known_hosts:63 Matching host key in ~/.ssh/known_hosts:64

So basically, the Offending key is the one I added manually as per blogpost?

Ok, I am in Europe, and this seems like an issue of global distribution network or something, but this is not great AT ALL, either the blogpost information is not complete or something fishy is going on

UPDATE: The replies makes clear what I was seeing those errors and make sense. Thanks

EDIT: Formatting and Acknowledge of the situation per replies