116

I am trying to use

sudo npm install

to install all my dependencies for an application written in nodejs. My OS is Ubuntu 13.04

However, I keep getting this warning:

The authenticity of host 'github.com (192.30.252.131)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:1d:52:13:1a:21:2d:bz:1d:66:a8.
Are you sure you want to continue connecting (yes/no)?

Has anyone encountered this warning before? Is it possible to authenticate and store the fingerprint locally? So I won't need to authenticate again when I enter sudo npm install another time.

Right now, I am unable to enter anything, not even "yes". My terminal just gets stuck, i have to press Ctrl+C to terminate.

Penny Liu
  • 15,447
  • 5
  • 79
  • 98
led
  • 1,544
  • 5
  • 17
  • 23
  • The answer by @Stéphane Gourichon is the actual correct one here, and Matt Pavelle has a good answer about what is likely to be causing you to see the issue in the first place. – UltraBob May 27 '16 at 00:09

11 Answers11

154

Danger ahead, unless you actually don't care about secure communication with github on your local account

Ssh rightly complains that they can't make sure you are indeed connecting to github's server through a secure channel. That might be why github is recommending https access, which works out-of-the-box thanks to its public key infrastructure.

Now, you can have it work, but be aware that it involves caching a public key fingerprint which, if done incorrectly, provides an attacker permanent man-in-the-middle attack.

How to proceed safely?

Option 1 is use https url instead of ssh.

Option 2 is have ssh access work.

Okay, show me option 2

  1. Do ssh -T git@github.com but don't just type "yes".
  2. Check if the hash that is shown matches one of the hashed shown in https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints (in your question it does, and see, the page is fetched through https for the same public key infrastructure reasons).

If the hash matches, then connection is indeed safe you can answer "yes" to ssh's question.

Okay, I checked and typed yes, how do I know it works?

Ssh will show something like:

Warning: Permanently added the RSA host key for IP address '192.30.252.128' to the list of known hosts.

After that, you will either see a message like

Permission denied (publickey).

which is good but shows that you need further configuration, or simply

Hi yourlogin! You've successfully authenticated, but GitHub does not provide shell access.

which means that all works well and you can retry your first operation.

Notice that if you retry the same ssh command, it should no longer ask the question.

Stéphane Gourichon
  • 6,493
  • 4
  • 37
  • 48
  • 13
    if you get permission denied (publickey) go to https://github.com/settings/ssh and add your ssh key there – Lukas Liesis Feb 16 '16 at 09:54
  • 1
    Where do I get my ssh key so I can add it? – urig Sep 04 '16 at 08:55
  • 2
    @urig the page I mentioned (https://github.com/settings/ssh) has a link to [generate a GPG key and add it to your account](https://help.github.com/articles/generating-a-gpg-key/) – Stéphane Gourichon Sep 04 '16 at 17:01
  • 1
    What if the hash shown doesn't match with the hash in https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ – Surya Dec 31 '18 at 06:28
  • 1
    @Surya if the hash does not match, it means that the server you're communicating with sent a different key. Github would probably not change keys without a salient public warning. So, the server is a different server impersonating github server. It could be an evil attacker and/or a corporate proxy. If this happened to me, I'd refuse key, abort connection and investigate. Did you observer that, or is it a theoretical question? – Stéphane Gourichon Jan 01 '19 at 12:25
  • 1
    I observed that but looks like it was a proxy configured at my office. So we informed the IT team and now things are working fine. Thanks for clarifying :D – Surya Jan 02 '19 at 06:00
  • 1
    Please use `ssh -T git@github.com` instead of `ssh github.com` if you always get `Permission denied (publickey).` – Viperet Dec 24 '19 at 10:42
  • 1
    Viperet's addition is good. `-T` just avoids an unrelated error message. Adding `git@` is not necessary to show the hash, but in most setup is necessary toget the proper "Hi" on successful authentication; Thanks @Viperet. – Stéphane Gourichon Dec 24 '19 at 23:47
  • I chose Option 1 and used this link to achieve it - using MINGW64 on Win10: https://stackoverflow.com/a/16330439/2567114 – AndruWitta Aug 29 '21 at 04:40
  • Thanks! that works for me via typing "yes". – Vittore Marcas Dec 25 '21 at 13:41
  • 1
    Today the key was updated, see https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ for update. – Stéphane Gourichon Mar 24 '23 at 15:11
  • 1
    Thank you so much @StéphaneGourichon for posting that update on github's blog. That was the issue and the fix they have given in the blog post worked perfectly. – Saurabh Misra Mar 25 '23 at 11:58
27

Run ssh -o StrictHostKeyChecking=no git@github.com in command prompt to add the authenticity to your known_hosts. Then you won't get the prompt the next time.

mujaffars
  • 1,395
  • 2
  • 15
  • 35
Kent Mewhort
  • 1,158
  • 12
  • 11
  • 23
    The strict checking of host keys is for security purposes. If someone is able to spoof a dns record for github.com (or any other host you are trying to connect to) then this warning would actually catch the spoofing. I would suggest not turning it off. – payne8 Oct 11 '15 at 01:47
  • 2
    Agreed with @payne8: *do not* disable strict host key checking, it would disable an important security warning! See the answer "[Danger ahead, unless you actually don't care about secure communication with github on your local account](http://stackoverflow.com/a/35259755/1429390)" for more. – Stéphane Gourichon May 24 '16 at 16:30
21

I solved my problem by running

ssh-keyscan github.com >> ~/.ssh/known_hosts

in command prompt. This command will add authenticity to your known_hosts.

Hadi Masoumi
  • 1,153
  • 9
  • 13
  • Thanks! This worked for me `sudo ssh-keyscan github.com | sudo tee -a /root/.ssh/known_hosts`. I wonder if this is the correct way to clone a private repo on a public cloud VM instance using SSH? – Sanjay George Oct 23 '22 at 16:33
  • Official Github [recommendation](https://github.com/orgs/community/discussions/54604#discussioncomment-5825856) is you should **NEVER** run this command since it adds keys to your `known_hosts` file without any validation. You should manually verify the key instead. *If you already ran this command, delete the entries it added to your `known_hosts` file and simply copy-paste [these ones](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints) from github directly.* – solarbabies Jul 02 '23 at 16:48
6

You sure you're not accidentally logged in as a different user (this happens to me when I sudo -s / login as root and forget my GitHub account isn't linked to that user).

Matt Pavelle
  • 819
  • 5
  • 8
5

If you have this type problem

The authenticity of host 'github.com (192.30.252.131)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:1d:52:13:1a:21:2d:bz:1d:66:a8.
Are you sure you want to continue connecting (yes/no)?

don't worry, follow these steps:

Step 1: yes [press enter]

then you'll get:

Please type 'yes', 'no' or the fingerprint:

Step 2: copy fingerprint and paste here [press enter ]

initall
  • 2,385
  • 19
  • 27
Lb Maddheshiya
  • 51
  • 1
  • 2
4

I landed here because I was getting this error and not understanding why. It turns out I had a typo in my npm command:

npm install -P -E @angular/common @angular/compiler @angular/core @angular/forms 
@angular/platform-browser @angular/router @angular/animations@ angular/platform-browser-dynamic

Notice how the end of the line reads @angular/animations@ angular/platform-browser-dynamic.

NPM interprets the last "package" as being a github repo and that is where the error comes from.

I know this does not actually answer the question but I put it up just in case anyone else encounters this by making a similar mistake.

MarioDS
  • 12,895
  • 15
  • 65
  • 121
3

Stéphane Gourichon's 2016 answer mentions:

Do ssh -T git@github.com but don't just type "yes".

Check if the hash that is shown matches one of the hashed shown in "GitHub's SSH key fingerprints".
(in your question it does, and see, the page is fetched through https for the same public key infrastructure reasons).

Another way to check, this time programmatically, if the GitHub host keys match, is to use the GitHub API (Jan. 2022):

GitHub’s SSH host keys are now published in the API

The GitHub metadata endpoint (api.github.com/meta) now contains our SSH host keys.
(We'll continue offering host key fingerprints as well.)

{
 // new entry
 "ssh_keys": [
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl",
   "ecdsa-sha2-nistp256 >AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=",
   "ssh-rsa >AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
 ],
 // existing entry
 "ssh_key_fingerprints": [
   "SHA256_RSA": "nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8",
   "SHA256_ECDSA": "p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM",
   "SHA256_ED25519": "+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU"
 ],
 // ... rest of payload
}

These keys are in the OpenSSH known_hosts format for easy inclusion into existing known_hosts files.

This will make it easier to preconfigure systems which expect to connect via SSH.

For example, you can prime your CI runners with these keys before starting to fetch from GitHub.

The keys returned from the API include both SSH host keys that we're actively using, plus any that we're advertising via host key rotation for future use.

Currently, we're not offering any keys via rotation that aren't actively in use, but if we announce new host keys in the future, you can find them here as well during the rotation period.

See the meta API endpoint to learn more.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
2

Github just made changes to their ip address infrastructure. You can read here for more details https://github.com/blog/1606-ip-address-changes . Also, I have never seen a problem like this before. Is you package.json containing a git depency cloned via ssh?

Try echo 'yes' | sudo npm install. This may solve your problem. If it does not, try cloning via HTTPS instead or download the module as a tarball instead, which can be done like this https://api.github.com/repos/username/reponame/tarball

joshua-anderson
  • 4,458
  • 5
  • 35
  • 56
0

I was using npm ci but the package-lock.json file had a lot of git+ssh:// URLs which triggered this error message.

Bashed on the accepted answer here, I used a little sed script to replace all the ssh:// URLs with https:// URLs:

sed -i 's|git+ssh://git@github.com|https://github.com|' ./package-lock.json

I hope that may help some people in a similar situation.

This is a quick workaround. A more permanent solution would be to fix the URLs in the package.json file, in order to build an improved package-lock.json file.

joeytwiddle
  • 29,306
  • 13
  • 121
  • 110
0

Just in case you stumble upon that in IntelliJ IDEA (or any other IntelliJ product), go to Version Control > GitHub and uncheck [✓] Clone git repositories using ssh.

RiZKiT
  • 2,107
  • 28
  • 23
-4

Run ssh github.com and type yes and it should fail. Then run your command again. If not try ssh github.com again as they have multiple IP's and you might need all of them.

user71404
  • 377
  • 1
  • 3
  • 6
    This is wrong and dangerous. See @payne8's comment below. See my other answer. – Stéphane Gourichon Feb 07 '16 at 21:54
  • 1
    Agreed with @Stéphane Gourichon that doing this blindly would be dangerous, as it seems to negate the purpose of the prompt. His answer points to URL where to verify hash: https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ (taken from his answer, which should IMO definitely be the answer and upvoted), though I admit I always wonder if someone could spoof the DNS record, could they not also spoof the verification page. –  May 21 '16 at 13:31
  • @ibgib Thanks. The verification page offers significantly better protection against spoofing (that is, unless the user ignores browser alerts, which would be similar to blindly type "yes" at the ssh key verification prompt). The verification page is secured through https and all browsers doing https properly have a list of trusted root certificates which are meant to guarantee that github server certificate is genuine (for details, including limitations, see [Public key infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure)). It's not perfect but much harder to spoof. – Stéphane Gourichon May 22 '16 at 05:15