githubsshopenssh

What is the secure/correct way of adding www.github.com to the known_hosts file?

I want to access my github repositories via ssh. When I access the repository for the first time, I am asked If I want to add the github ssh server to my known_hosts file, which works fine. That request also shows me the RSA key fingerprint of that server and I can manually verify that it is the same that is provided by github here.

These are the SHA256 hashes shown in OpenSSH 6.8 and newer (in base64 format):

SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA)
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA)

The problem is that I want to prevent that request by adding a public key to my known_hosts file before my first access to my git repository. This can be done by using the ssh-keyscan -t rsa www.github.com command which will give me a public key in the format required by the known_hosts file. But people mention repeatedly, that this is not safe and is vulnerable to man-in-the-middle attacks. What they do not mention is how to do it right.

So how can I use the RSA fingerprint provided on the github page to safely get the public host key of the ssh server? I am more or less looking for an option to the ssh-keyscan command that lets me add the expected rsa fingerprint and causes the command to fail if the hosts fingerprint does not match the given one.

Thank you for your time!

Solution

  • Warning March 2023:

    "GitHub has updated its RSA SSH host key"

    I would not use ssh-keyscan in that case.
    Rather, I would use it and double-check the result by comparing its fingerprint with the one provided by GitHub.

    And then proceed with an SSH GitHub test, to check I do get:

    Hi username! You've successfully authenticated, but GitHub does not
provide shell access.

    So, as recommended here, for the manual process:

    ssh-keyscan github.com >> githubKey

    Generate the fingerprint:

    ssh-keygen -lf githubKey

    Compare it with the ones provided by GitHub

    Finally, copy githubKey content to your ~/.ssh/known_hosts file.

    You can automate that process (still including the fingerprint step check) with wercker/step-add-to-known_hosts: it is a wercker step, but can be extrapolated as its own independent script.

    - add-to-known_hosts:
    hostname: github.com
    fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
    type: rsa

    But that would lack the check against help.github.com/articles/github-s-ssh-key-fingerprints: see below.

    Using nmap does not help much, as explained here:

    using nmap to get the SSH host key fingerprint and then comparing it to what ssh-keyscan says the fingerprint: In both cases, the fingerprint comes from the same place.
    It's just as vulnerable to MITM as any other of these automated solutions.

    The only secure and valid way to verify an SSH public key is over some trusted out-of-band channel. (Or set up some kind of key-signing infrastructure.)

    Here, help.github.com/articles/github-s-ssh-key-fingerprints remains the "trusted out-of-band channel".