Yesterday, I get a host key verification error when I tried to pull or push changes to our Github.com repository. The error message itself suggested how to fix it by running ssh-keygen -R github.com. Although it fixed the error, it gives me warnings later which is so annoying.
What happened?
Github recently updated their RSA SSH host key. The details and the suggested fixes are posted in their blog.
I already lost the first message but I got the similar message as the one posted in Github’s blog.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.
At first, I was able to remove the error by running the following command:
ssh-keygen -R github.com
It should somehow fix the error but then I got this annoying warning:
The authenticity of host 'github.com (20.205.243.166)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Github suggested a simple fix in their blog but I fix it in a more manual way.
Manual Fix
When you get the above prompt and accept it (type “yes”), the operation succeeds but you get some warnings about your ~/.ssh/known_hosts along with the exact lines of the questionable entries. Also, if you pull or push again, you will get the same warning/prompts over and over again. The known_hosts entries must be fixed.
What I did is simply delete those problematic lines then run git pull again. It will prompt the yes/no/fingerprint options again. This time, before we type “yes”, we need to verify the ECDSA key fingerprint first as shown in the prompt.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Compare it to the data provided by Github API meta endpoint.
Then look for the SHA256_ECDSA entry. The values should match. If it matches, you can accept it by typing “yes”.
After that, I don’t get the annoying warnings anymore.
Featured image by Christina Morillo.