What are the MIT GitHub Enterprise host key fingerprints?
Public key fingerprints can be used to validate a connection to a remote server.
As of 3pm, 9/23/2016, MIT GitHub's (github.mit.edu) public key fingerprints (in hexadecimal format):
1024 6a:b9:7a:75:7a:c7:4b:c2:cf:34:8e:37:4a:16:dc:b1 (DSA) 256 ac:6f:99:33:8f:9e:63:c5:4d:8f:c8:3d:b7:cd:05:b5 (ECDSA) 256 3f:9c:18:6f:be:b8:5a:bb:71:bf:be:53:c9:58:b4:13 (ED25519) 2048 03:3b:72:d6:20:6f:3e:1f:5e:2f:38:a2:80:01:f3:22 (RSA)
4 Comments
comments.show.hideSep 23, 2016
Anders Kaseorg
These hexadecimal MD5 hashes cannot be matched against the base64 SHA-256 hashes produced by default in OpenSSH 6.8 and later:
Can you provide the hashes in both formats? I have
(The ED25519 key does not seem to be available on the server.)
Sep 23, 2016
Martin A Segado
For anyone looking for a way to verify this in the meantime, you can check them by pulling down the keys with ssh-keyscan and listing the hashes with ssh-keygen, using -E md5 for MD5 hashes or omitting it for base64 SHA-256 hashes (see http://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se ):
I'm seeing the following output (but don't take my word for it of course):
Sep 23, 2016
Anders Kaseorg
You shouldn’t trust ssh-keyscan either! With someone intercepting your SSH connection, you would see the same bad key from ssh and ssh-keyscan, so it means nothing to check them against each other.
If you verify the MD5 fingerprint of the key from ssh-keyscan against this page (if loaded over HTTPS), then you can be pretty sure that the SHA-256 fingerprint of the same key is the right one to accept in ssh. Perhaps that’s what you meant.
Or just ssh -o FingerprintHash=md5 git@github.mit.edu to get ssh to give you an MD5 fingerprint that can be directly verified against this page.
Sep 25, 2016
Martin A Segado
Oops, sorry - checking the MD5's against this page is indeed what I had in mind, but I realize I never made that explicit =) Thanks for clarifying (and for the ssh -o FingerprintHash=md5 git@github.mit.edu tip; I didn't realize you could do that! Much easier that way.)