Access Keys:: Skip to content (Access Key - 0)

« MIT Information Systems & Technology website

Welcome back, • Log In • Knowledge Base Handbook

KB chicklet

The Knowledge Base

What are the MIT GitHub Enterprise host key fingerprints?

Public key fingerprints can be used to validate a connection to a remote server.

As of 3pm, 9/23/2016, MIT GitHub's (github.mit.edu) public key fingerprints (in hexadecimal format):

1024 6a:b9:7a:75:7a:c7:4b:c2:cf:34:8e:37:4a:16:dc:b1 (DSA)

256 ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 (ECDSA)

256 3f:9c:18:6f:be:b8:5a:bb:71:bf:be:53:c9:58:b4:13 (ED25519)

2048 03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22  (RSA)

IS&T Contributions

Documentation and information provided by IS&T staff members →

Last Modified:

September 23, 2016

Get Help

Request help
from the Help Desk

Report a security incident
to the Security Team

Labels:

c-github c-github Delete

Feedback

This product/service is:

Easy to use

Average

Difficult to use

This article is:

Helpful

Inaccurate

Obsolete

4 Comments

comments.show.hide

Sep 23, 2016

Anders Kaseorg
These hexadecimal MD5 hashes cannot be matched against the base64 SHA-256 hashes produced by default in OpenSSH 6.8 and later:
$ git clone git@github.mit.edu:andersk/test.git Cloning into 'test'... The authenticity of host 'github.mit.edu (18.9.44.24)' can't be established. ECDSA key fingerprint is SHA256:mP1vMrsRkP6l42bs0dsXejq3YgxMD2r5NqboImqssw0. Are you sure you want to continue connecting (yes/no)?
Can you provide the hashes in both formats? I have
1024 MD5:6a:b9:7a:75:7a:c7:4b:c2:cf:34:8e:37:4a:16:dc:b1 github.mit.edu (DSA) 1024 SHA256:pcwTyC+O0EBl9oZDmDllX5kJZXxg2yAMwuKGkt0DNCo github.mit.edu (DSA) 256 MD5:ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 github.mit.edu (ECDSA) 256 SHA256:mP1vMrsRkP6l42bs0dsXejq3YgxMD2r5NqboImqssw0 github.mit.edu (ECDSA) 2048 MD5:03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22 github.mit.edu (RSA) 2048 SHA256:qtLpZn5Gd9N92Tk/9J8XoRjBh49py4/Q2xC3cV6tV2g github.mit.edu (RSA)
(The ED25519 key does not seem to be available on the server.)
- Permalink
1. Sep 23, 2016
  
  Martin A Segado
  For anyone looking for a way to verify this in the meantime, you can check them by pulling down the keys with ssh-keyscan and listing the hashes with ssh-keygen, using -E md5 for MD5 hashes or omitting it for base64 SHA-256 hashes (see http://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se ):
  
  ssh-keyscan github.mit.edu > github.pub ssh-keygen -l -f ~/gh.pub -E md5 ssh-keygen -l -f ~/gh.pub
  
  I'm seeing the following output (but don't take my word for it of course):
  
  2048 MD5:03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22 github.mit.edu (RSA) 256 MD5:ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 github.mit.edu (ECDSA) 2048 SHA256:qtLpZn5Gd9N92Tk/9J8XoRjBh49py4/Q2xC3cV6tV2g github.mit.edu (RSA) 256 SHA256:mP1vMrsRkP6l42bs0dsXejq3YgxMD2r5NqboImqssw0 github.mit.edu (ECDSA)
  Permalink
  1. Sep 23, 2016
    
    Anders Kaseorg
    You shouldn’t trust ssh-keyscan either! With someone intercepting your SSH connection, you would see the same bad key from ssh and ssh-keyscan, so it means nothing to check them against each other.
    
    If you verify the MD5 fingerprint of the key from ssh-keyscan against this page (if loaded over HTTPS), then you can be pretty sure that the SHA-256 fingerprint of the same key is the right one to accept in ssh. Perhaps that’s what you meant.
    
    Or just ssh -o FingerprintHash=md5 git@github.mit.edu to get ssh to give you an MD5 fingerprint that can be directly verified against this page.
    
    Permalink
    1. Sep 25, 2016
      
      Martin A Segado
      
      Oops, sorry - checking the MD5's against this page is indeed what I had in mind, but I realize I never made that explicit =) Thanks for clarifying (and for the ssh -o FingerprintHash=md5 git@github.mit.edu tip; I didn't realize you could do that! Much easier that way.)
      
      Permalink

Adaptavist Theme Builder (4.2.3) Powered by 3.5.13, the