Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to verify SSH fingerprint?

How do I know the GitHub server rsa2 key fingerprint ssh-rsa 2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 matches the fingerprint they display on their website as SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA) since they don't look the same?

I'm setting up my GitHub account to use SSH to commit codes. The question comes up during first access attempt and putty want's to cache the key. From enough sources on the web I find enough to feel confident that it is in fact GitHub, but how do I personally verify it? Aware of spoofing risks etc, but that isn't the question.

I got the ssh-rsa 2048 fingerprint from putty after attempting git clone [repository ssh url] for the first time.

like image 527
Nelumbo Avatar asked Nov 23 '20 14:11

Nelumbo


People also ask

Why does SSH ask for a fingerprint?

The fingerprint is a short version of the server's public key; it is easier for you to verify than the full key. It is very hard to spoof another public key with the same fingerprint. When you connect to a machine for the first time you do not have the fingerprint in your known_hosts, so ssh has nothing to compare it to, so it asks you.

Where is SSH key fingerprint stored in Linux?

In openssh (the ssh used on most Linux systems) this fingerprint is stored in $HOME/.ssh/known_hosts . The fingerprint is a short version of the server's public key; it is easier for you to verify than the full key. It is very hard to spoof another public key with the same fingerprint.

Is SSH key and ECDSA fingerprint the same thing?

No, it's not a combination. ECDSA fingerprint is a hash (fingerprint) of a public ECDSA key. For compatibility reasons SSH servers have several keys, like: RSA, DSA, ECDSA, ED25519 (you can ls /etc/ssh/*.pubon a *nix machine to see different server's public keys).

How do I know if my SSH key is still valid?

Confirm integrity of the SSH key – if you get the same fingerprint from your private SSH key, you can be sure it’s still valid and intact Validate identity of the SSH key – same fingerprint means you’re dealing with the same key (that you or your solution trusted for specific functionality)


1 Answers

The reason you're seeing this is because you're using an old, obsolete SSH client.

The fingerprint of a key is merely the hash of the key body. Old versions of OpenSSH used MD5 for this, and the form you're using with the colons is the MD5 format. However, MD5 is so vulnerable to collisions that CMU has said that it is “unsuitable for further use.” Responsible parties have abandoned it altogether, since it has been known to be insecure since 2004. Even though the purpose for which SSH is using it is not known to be insecure, there's no longer any good reason to use MD5 for any purpose at all.

OpenSSH some time ago switched to SHA-256 for that, and at the same time, they switched to encoding the hash in Base64. At the same time, they prepended the hash algorithm to the name so it is unambiguous. SHA-256 is widely considered secure, and GitHub no longer displays MD5 fingerprints since most clients handle SHA-256.

Putty, unfortunately, is back in the early 2000s and has not moved away from MD5. GitHub still publishes the MD5 hash of its keys at https://api.github.com/meta so you can see it, but most people don't publish MD5 fingerprints anymore.

If you're on Windows, you can use the version of OpenSSH that comes with Git for Windows; otherwise, OpenSSH should already be available on most Unix system. A recent enough version will show you the SHA-256 fingerprints as normal.

like image 146
bk2204 Avatar answered Oct 11 '22 06:10

bk2204