Access Keys:
Skip to content (Access Key - 0)

What are the MIT GitHub Enterprise host key fingerprints?

Public key fingerprints can be used to validate a connection to a remote server.

As of 3pm, 9/23/2016, MIT GitHub's ( public key fingerprints (in hexadecimal format):

1024 6a:b9:7a:75:7a:c7:4b:c2:cf:34:8e:37:4a:16:dc:b1 (DSA)

256 ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 (ECDSA)

256 3f:9c:18:6f:be:b8:5a:bb:71:bf:be:53:c9:58:b4:13 (ED25519)

2048 03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22  (RSA)

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

September 23, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
c-github c-github Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
  1. Sep 23, 2016

    These hexadecimal MD5 hashes cannot be matched against the base64 SHA-256 hashes produced by default in OpenSSH 6.8 and later:

    $ git clone
    Cloning into 'test'...
    The authenticity of host ' (' can't be established.
    ECDSA key fingerprint is SHA256:mP1vMrsRkP6l42bs0dsXejq3YgxMD2r5NqboImqssw0.
    Are you sure you want to continue connecting (yes/no)?

    Can you provide the hashes in both formats? I have

    1024 MD5:6a:b9:7a:75:7a:c7:4b:c2:cf:34:8e:37:4a:16:dc:b1 (DSA)
    1024 SHA256:pcwTyC+O0EBl9oZDmDllX5kJZXxg2yAMwuKGkt0DNCo (DSA)
    256 MD5:ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 (ECDSA)
    256 SHA256:mP1vMrsRkP6l42bs0dsXejq3YgxMD2r5NqboImqssw0 (ECDSA)
    2048 MD5:03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22 (RSA)
    2048 SHA256:qtLpZn5Gd9N92Tk/9J8XoRjBh49py4/Q2xC3cV6tV2g (RSA)

    (The ED25519 key does not seem to be available on the server.)

    1. Sep 23, 2016

      For anyone looking for a way to verify this in the meantime, you can check them by pulling down the keys with ssh-keyscan and listing the hashes with ssh-keygen, using -E md5 for MD5 hashes or omitting it for base64 SHA-256 hashes (see ):

      ssh-keyscan >
      ssh-keygen -l -f ~/ -E md5
      ssh-keygen -l -f ~/

      I'm seeing the following output (but don't take my word for it of course):

      2048 MD5:03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22 (RSA)
      256 MD5:ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 (ECDSA)
      2048 SHA256:qtLpZn5Gd9N92Tk/9J8XoRjBh49py4/Q2xC3cV6tV2g (RSA)
      256 SHA256:mP1vMrsRkP6l42bs0dsXejq3YgxMD2r5NqboImqssw0 (ECDSA)
      1. Sep 23, 2016

        You shouldn’t trust ssh-keyscan either! With someone intercepting your SSH connection, you would see the same bad key from ssh and ssh-keyscan, so it means nothing to check them against each other.

        If you verify the MD5 fingerprint of the key from ssh-keyscan against this page (if loaded over HTTPS), then you can be pretty sure that the SHA-256 fingerprint of the same key is the right one to accept in ssh. Perhaps that’s what you meant.

        Or just ssh -o FingerprintHash=md5 to get ssh to give you an MD5 fingerprint that can be directly verified against this page.

        1. Sep 25, 2016

          Oops, sorry - checking the MD5's against this page is indeed what I had in mind, but I realize I never made that explicit =) Thanks for clarifying (and for the ssh -o FingerprintHash=md5 tip; I didn't realize you could do that! Much easier that way.)

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki