7

How do I know the GitHub server rsa2 key fingerprint ssh-rsa 2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 matches the fingerprint they display on their website as SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA) since they don't look the same?

I'm setting up my GitHub account to use SSH to commit codes. The question comes up during first access attempt and putty want's to cache the key. From enough sources on the web I find enough to feel confident that it is in fact GitHub, but how do I personally verify it? Aware of spoofing risks etc, but that isn't the question.

I got the ssh-rsa 2048 fingerprint from putty after attempting git clone [repository ssh url] for the first time.

Nelumbo
  • 893
  • 2
  • 9
  • 18

1 Answers1

6

The reason you're seeing this is because you're using an old, obsolete SSH client.

The fingerprint of a key is merely the hash of the key body. Old versions of OpenSSH used MD5 for this, and the form you're using with the colons is the MD5 format. However, MD5 is so vulnerable to collisions that CMU has said that it is “unsuitable for further use.” Responsible parties have abandoned it altogether, since it has been known to be insecure since 2004. Even though the purpose for which SSH is using it is not known to be insecure, there's no longer any good reason to use MD5 for any purpose at all.

OpenSSH some time ago switched to SHA-256 for that, and at the same time, they switched to encoding the hash in Base64. At the same time, they prepended the hash algorithm to the name so it is unambiguous. SHA-256 is widely considered secure, and GitHub no longer displays MD5 fingerprints since most clients handle SHA-256.

Putty, unfortunately, is back in the early 2000s and has not moved away from MD5. GitHub still publishes the MD5 hash of its keys at https://api.github.com/meta so you can see it, but most people don't publish MD5 fingerprints anymore.

If you're on Windows, you can use the version of OpenSSH that comes with Git for Windows; otherwise, OpenSSH should already be available on most Unix system. A recent enough version will show you the SHA-256 fingerprints as normal.

bk2204
  • 64,793
  • 6
  • 84
  • 100