0

When connecting to a remote server using SSH for the first time, I recieve this message:

The authenticity of host '<hostname> (<ip>)' can't be established.
RSA key fingerprint is <fingerprint>.
Are you sure you want to continue connecting (yes/no)?

For instance, when trying to connect to GitHub:

The authenticity of host 'github.com (192.30.252.128)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)?

I understand that this message is shown because I haven't visited this server before. But that it also means that the authenticity of the server can not be guaranteed, and that someone might be impersonating the server I'm trying to connect to.

What is the correct way to handle this message? Many answers on Stack Overflow simply recommend typing 'yes', or recommend disabling the check altogether, but that doesn't sound like a good idea at all. How can I be sure that I am indeed connecting to GitHub, and not to another server that's trying to steal my credentials?

Does it suffice to compare the RSA key fingerprint (16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48) to the one that is provided by GitHub? Can I be sure that the information on GitHub's site hasn't been tampered with as well?

Community
  • 1
  • 1
Nic Wortel
  • 11,155
  • 6
  • 60
  • 79

1 Answers1

1

Github (or anyone owning a server for that matter) are the only ones that can provide you with a trustworthy fingerprint of their key. And that key is the only thing able to proof the authenticity of the server.

Of course the website could have been tampered with making you send your credentials to a fake server but what external source would you find to be more trustworthy? If you want to be safe the only way is to find a more personal way of recieving the fingerprint. This leads down a spiral (email can be tampered with, the phone number on the page could have been changed if the site has been tampered) which ends in either you flying to their headquarters to talk to a sysadmin or you saying screw it and just typing yes.

Trudbert
  • 3,178
  • 14
  • 14
  • the physical address of the sysadmin could be changed to another office too, so you could talk to someone who pretend to be the sysadmin ;) – ling Nov 25 '14 at 06:24