Server Fingerprints

2016-09-06 21:22:33 chip Page 1864 📢 PUBLIC

January 31 2018

These are the fingerprints for the git.nlited.org server:

----------------------------------------------------------------------- CIPHER: RSA MD5:53:d7:64:e7:1a:54:9d:5b:39:06:90:78:21:fa:65:79 SHA256:lRiw1eSbur+MRuug1DIm4r3pAce2LhHo+IIIRFspeAc= +---[RSA 2048]----+ |. E.. ..oo. | |.o.o. o +.. | |o.+. . . + | |.+. . o | |+..+ S o | |oo+ .. .. | |=.oo= o... | |=o++o+ .o+ | | oo*o o+.+. | +----[SHA256]-----+ ----------------------------------------------------------------------- CIPHER: DSA MD5:db:96:d7:0c:2c:b7:e6:bb:20:fc:1e:67:e0:29:6b:dc SHA256:gIKKEc2f3j6DZB8MDmvD0flmZ2d6+dFcZa6Zixi8yFg= +---[DSA 1024]----+ |.o | | oo . | |o .o.o. o| |o.o.* . o.| |o. * = S o| | = = B o.o o = | | . + * +E+o.. * | | . =+..o+ o . | | .oo.o.o . | +----[SHA256]-----+ ----------------------------------------------------------------------- CIPHER: ECDSA MD5:6a:94:15:a4:11:fb:f9:72:0a:2e:b7:35:c5:3f:00:10 SHA256:yX1MXGzhicv1qjWrSIxwkKmCKsoD4PeSKss773NaOvM= +---[ECDSA 256]---+ | .o. | | o . +o. | | + +.+ | |.. . o o + o . | |+ . . . S . = .| |o. o o o . . | |+ . o. . o + | |*o *oo . . o o | |+*B=OE . o.. | +----[SHA256]-----+ ----------------------------------------------------------------------- CIPHER: ED25519 MD5:e9:f5:43:cc:c7:e9:5d:8d:16:2f:72:f2:05:9b:b7:1c SHA256:OQSIiGLTz6xQ3EgWFShGiRMTQW6+4L94iBWKBG/Hj5Q= +--[ED25519 256]--+ |XB==*+o | |OBo*.. . | |==+.+. . | |oo+ E+ . . | |++.+.o S | |= o.. . . | |.+. | |..o. | | ..o. | +----[SHA256]-----+ -----------------------------------------------------------------------

You may see this scary message when trying to connect to the git server:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:yX1MXGzhicv1qjWrSIxwkKmCKsoD4PeSKss773NaOvM. Please contact your system administrator. Add correct host key in /c/Users/XXXX/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /c/Users/XXXX/.ssh/known_hosts:1 ECDSA host key for git.nlited.org has changed and you have requested strict checking. Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
This means the key reported by the server did not match what is saved in your known_hosts file for the server. This happens for one of two reasons:

The server has moved to a new address or machine.
Your connection is being hijacked.

The first is most likely, but the second can be very dangerous.

In the first case, the reported key "SHA256:yx1Mx...aOvM" should match one of the key listed in the "Server Fingerprints" above. This is verified using a trusted, independent method, which is looking at this webpage in a browser. If the keys match, it is safe to remove the old key from known_hosts.

unix: ssh-keygen -R git.nlited.org
Windows: Edit C:\Users\XXXX\.ssh\known_hosts and delete the entry.

Once the old key has been removed the next connection attempt will report a much less scary message:
The authenticity of host 'git.nlited.org (54.67.45.65)' can't be established. ECDSA key fingerprint is SHA256:yX1MXGzhicv1qjWrSIxwkKmCKsoD4PeSKss773NaOvM. Are you sure you want to continue connecting (yes/no)?
This is just ssh telling you, "I don't know this server, are you sure it is safe?" Again confirm that the reported key matches on of the keys listed above. If it does, then answer "yes". The key will be added to known_hosts and subsequent connections with proceed quietly.

If the reported key does NOT match any of the keys listed above:
Either your connection is being hijacked, or I forgot to update the fingerprints. Do not proceed until you know which!