Error "The authenticity of host 'github.com' can't be established. RSA key fingerprint "

Asked 8/12, 2017 at 4:51 Answered 3/5 at 7:51

I use my project at work, but I would like to work with him from home as I can log into my home machine to work with my project.

However, from home, I see the following message:

The authenticity of host 'github.com (ip)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?

How can I get past it?

Travers answered 8/12, 2017 at 4:51 Comment(2)

If you're ending up on this question in March 2023, it's likely because GitHub just updated their RSA key. Details on what to do here: github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key – Cagey 24/3, 2023 at 5:39

@TreyHunner Good point, I have updated my 2017 answer – Yammer 24/3, 2023 at 6:48

103

You should ~~simply be able to answer 'yes'~~, which will update your ~/.ssh/known_hosts file.

A better approach, to avoid any MITM (Man-In-The-Middle) attack, would be (as commented below by Mamsds) to verify GitHub's public key first (see "GitHub's SSH key fingerprints") and, if you find a match, then you can answer 'yes'.

Example:

ssh-keyscan -t ecdsa github.com 2>&1 |ssh-keygen -lf -
256 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (ECDSA)

After that, you can use a GitHub SSH URL (provided you have generated the SSH public/private keys, and registered the public one to your GitHub profile)

Note: the ssh key generation should use the base64 old PEM format (option -m PEM), rather than the new current 70 chars OpenSSH one.
See "What is the correct format for private key in Credentials":

ssh-keygen -m PEM -t rsa -P "" -f afile

That or you can switch to an HTTPS URL.

Update March 2023:

GitHub updated their RSA SSH host key

At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.

We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA.
Web traffic to GitHub.com and HTTPS Git operations are not affected.

Only GitHub.com’s RSA SSH key was replaced. No change is required for ECDSA or Ed25519 users

If you see the following message when connecting to GitHub.com via SSH, then read onward.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Host key for github.com has changed and you have requested strict > checking.
Host key verification failed.
If you see the above message, you’ll need to remove the old key by running this command:
$ ssh-keygen -R github.com
Or manually updating your ~/.ssh/known_hosts file to remove the old entry.

Then, you can manually add the following line to add the new RSA SSH public key entry to your ~/.ssh/known_hosts file:
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
Or automatically update GitHub.com’s RSA SSH key in your ~/.ssh/known_hosts, by running the following in your terminal:
$ ssh-keygen -R github.com
$ curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

Or, without jq, for Mac or Windows users :

curl -L https://api.github.com/meta | grep ssh-rsa | \
  awk '{print "github.com", $2}' >> ~/.ssh/known_hosts

You can verify that your hosts are connecting via our new RSA SSH key by confirming that you see the following fingerprint:
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s
GitHub Actions users may see failed workflow runs if they are using actions/checkout with the ssh-key option.
We are updating the actions/checkout action in all our supported tags, including @v2, @v3, and @main.
If you pin the action to a commit SHA and use the ssh-key option, you’ll need to update your workflow. You can read more about this process in our official documentation for Actions security hardening.

For more information, please visit our official documentation on GitHub’s SSH public key fingerprints.

So:

What happened and what actions have we taken?

This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.

We immediately acted to contain the exposure and began investigating to understand the root cause and impact.
We have now completed the key replacement, and users will see the change propagate over the next thirty minutes.
Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change.

Please note that this issue was not the result of a compromise of any GitHub systems or customer information.
Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information. We have no reason to believe that the exposed key was abused, and took this action out of an abundance of caution.

As noted by bk2204'sanswer:

Some versions of OpenSSH include the host key for the IP address as well as for the hostname.
This is rather unhelpful, as IP addresses can change with DNS, but hostname tend to be more stable.

To remove the old key entirely:

# linux
sed -i -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31\/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi\/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==/d' ~/.ssh/known_hosts

# MacOS
sed -i '' -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31\/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi\/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==/d' ~/.ssh/known_hosts

# Windows
sed -i -e "/AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31\/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi\/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==/d" %USERPROFILE%\.ssh\known_hosts

The last command (for Windows) can be done with the %PATH% modified with:

set "GH=%ProgramFiles%\Git"
set "PATH=%GH%\bin;%GH%\cmd;%GH%\usr\bin;%GH%\mingw64\bin;%GH%\mingw64\libexec\git-core;%PATH%"

To remove any GitHub IP address from your known_hosts file, see discussion 50878:

For anyone running into repeated ECDSA host key for 'github.com' differs from the key for the IP address / Offending key for IP issues and you can't grep IPs in known_hosts because you have hashed entries, I have created a Gist listing all Github git IPv4 addresses (as of Fri Mar 24 16:33:22 UTC 2023), generated from CIDRs listed in https://api.github.com/meta:

https://gist.github.com/a-abella/fb31a028943b804e8ada6cda4efbe9b6

You can loop over these and feed them to ssh-keygen -R.
A script with optional known_hosts file path argument is available here: https://gist.github.com/a-abella/9d6c91a56a892e4c74933d17d380aa01. The only dependency is curl.

If you want a one-liner (though the standard you-shouldn't-pipe-scripts-from-the-internet warnings apply):
curl -s https://gist.githubusercontent.com/a-abella/9d6c91a56a892e4c74933d17d380aa01/raw/0bcaef131f94e4938cb659d744c3019fd814643e/strip_github.sh | bash -s -- $HOME/.ssh/known_hosts

Yammer answered 8/12, 2017 at 5:31 Comment(6)

I think you should add a caveat about MITM attacks if you simply answer yes. A better approach should be verifying Github's public key first (from here:

https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

) and if you find a match then you can answer yes. – Groundling 25/5, 2021 at 13:27

@Mamsds Very good point, thank you. I have included your comment in the answer for more visibility. – Yammer 25/5, 2021 at 13:41

Ok so... npm install is showing me a ECDSA key fingerprint in the format xx:xx:xx... but the above link gives me a different format, so I can't tell if it's a match or not! – Substage 20/4, 2022 at 19:52

@Substage I don't use npm to get a key fingerprint though. Only ssh-keyscan -t ecdsa github.com 2>&1 |ssh-keygen -lf -. Which does return 256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA), as expected. – Yammer 20/4, 2022 at 21:4

Thank you for updating with the March 2023 note from GitHub. I was scratching my head about this until I saw your answer. – Intercommunion 25/3, 2023 at 0:50

thank you. this answer will solve all the problem github causing – Luisaluise 27/3, 2023 at 20:7

Just add Github fingerprint to known hosts this way:

mkdir -p ~/.ssh
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts

Totipalmate answered 3/10, 2021 at 13:12 Comment(1)

I had to create the folder as well mkdir ~/.ssh – Figwort 2/1, 2022 at 23:43

As you are attempting to connect to Github using SSH for the first time (no existing entry for Github in ~/.ssh/known_hosts yet), you are being asked to verify the key fingerprint of the remote host. Because, if an intruder host represents itself as a Github server, it's RSA fingerprint will be different from that of a GitHub server fingerprint.

You have two options.

You may just accept, considering you don't care about the authenticity of the remote host (Github in this case), or,
You may verify that you are actually getting connected to a Github server, by matching the RSA fingerprint you are presented to (in the prompt), with GitHub's SSH key fingerprints in base64 format.

The latter option is usually more preferable.

Herbage answered 1/10, 2018 at 2:12 Comment(1)

So why does the web page show them in base 64, but the key i'm being asked to compare from npm install is a sequence of hex digit pairs separated by colons? How am I supposed to know if they are equal? – Substage 20/4, 2022 at 19:54

Use one of the following two solutions:

1) Set up the SSH key

Follow the steps discussed on this GitHub help page.

https://help.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh

2) Clone using git with HTTPS

Type (copy/paste) the following commands in a terminal on the machine where you would like to clone the repository

git config --global url."https://github.com/".insteadOf [email protected]:
git config --global url."https://".insteadOf git://

You can revert this change using the following commands

git config --global url."[email protected]:".insteadOf https://github.com/
git config --global url."git://".insteadOf https://

Dempsey answered 15/5, 2020 at 12:34 Comment(2)

Why --global and not --local? – Enchantment 4/8, 2020 at 16:56

Also this command will not really toggle the config, but each call will append one to the config. – Enchantment 4/8, 2020 at 16:58

Try these steps:

Open Git Bash

Check for existing SSH keys:

$ ls -al ~/.ssh

If you already have them, you will see:

id_rsa.pub

id_ecdsa.pub

id_ed25519.pub

If you don't, generate one (Press Enter to accept the default file location):

$ ssh-keygen -t rsa -b 4096 -C "[email protected]"

To copy the key to clipboard:

$ clip < ~/.ssh/id_rsa.pub

Go to your account on Github/Settings/SSH and GPG keys/New SSH key

Paste your key there

Next, type:

$ git remote

If you see origin, remove it:

$ git remote remove origin

Continue with the last 2 steps provided on GitHub repo page...

$ git remote add origin [email protected]:USERNAME/REPONAME.git

$ git push -u origin master

Refresh your GitHub repo page

Voila!

Whitman answered 1/10, 2020 at 15:56 Comment(2)

To copy the key to clipboard - pbcopy < ~/.ssh/id_ed25519.pub Reference - docs.github.com/en/github/authenticating-to-github/… – Dutch 16/8, 2021 at 7:3

If you are not able to copy the key, just cat the file and copy the output. cat id_rsa.pub – Dashpot 14/3, 2023 at 5:25

1- Create SSH key

if you don't have the ssh-key create it like this:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

2- Check your SSH key

For this go to your folder ssh, example:

cd ~/.ssh

after that, run this command line : ls

if you have the files: id_rsa, id_rsa.pub so the all is good

now you need to copy your id_rsa.pub ! (⚠️ NOT the id_rsa) for this run cat id_rsa.pub and copy the result

3- Github / Gitlab

Go to your github / gitlab.
Follow the step by your hosting:

github: Click on your profile -> Settings -> SSH and GPG Keys -> New SSH key
gitlab: Click on your profile -> preferences -> SSH keys

past your id_rsa.pub that you have already copied !

4- If you have already did it and it's already not working ??

When your enter your ssh-key in github / gitlab your key have a Expiration date so you just need to change it

That it ! Have a good work 😀

Throttle answered 12/7, 2022 at 8:38 Comment(1)

This the answer. Also, if you've changed the name of your keys, just run ssh-add xxx where xxx is your new key name. – Ampere 10/11, 2022 at 12:44

This is what ended up working for me

ssh-keyscan github.com >> ~/.ssh/known_hosts

Guthry answered 24/3, 2023 at 13:46 Comment(3)

It is considered safer to query the key from api.github.com/meta, as I document in my answer. See also "Does ssh-keyscan verify the legitimacy of the host(s) it scans?". (Hint: No. No, it does not) – Yammer 24/3, 2023 at 14:59

@Yammer your approach requires the jq module however... its not a builtin in mac unfortunately – Zooplasty 27/1 at 2:44

@rv.kvetch Good point. I have edited the answer to add an alternative without jq. – Yammer 27/1 at 17:9

You just need to type yes and it will work, for more information you can refer to the Official Github documentation. This will give an output saying

Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.

Mcabee answered 20/2, 2022 at 16:2 Comment(1)

probably op needs this happening automatically – Goethite 10/1, 2023 at 3:50

When uploading your project to Github, check whether https or ssh is selected under quick setup. I accidentally selected ssh and got the same output in the terminal. By selecting https, I recreated the git remote add origin .... section.

NOTE: If you have created a remote before, you can view what you created using git remote -v or delete it using git remote remove origin.

enter image description here

Jordanson answered 3/5 at 7:51 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++