Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Git Push Error: HTTP 400 RPC Failed - Solutions

Fix SSH `sign_and_send_pubkey: no mutual signature supported` Error

Git pull.rebase vs pull.ff: Differences and Best Practices

Viewing Sub-Forks in GitHub Repository Networks

Resolving 'subsystem request failed on channel 0' in SCP

GitHub SSH Host Key Changed: Resolving the Warning

Problem Statement

If you recently started receiving a security warning when connecting to GitHub via SSH, you're not alone. The error message typically appears as:

text
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.

This warning indicates that the SSH fingerprint for GitHub's servers doesn't match the one stored on your local machine. While such warnings can signal security risks, this specific case stems from GitHub legitimately updating their RSA SSH host key on March 24, 2023, after the previous key was briefly exposed.

Primary Solution: Remove the Old GitHub Key

The most straightforward solution is to remove GitHub's old SSH key from your known_hosts file using OpenSSH's built-in tool:

bash
ssh-keygen -R github.com

This command will:

  1. Locate and remove all entries for github.com in your SSH known_hosts file
  2. Preserve other host entries in the file
  3. Generate a backup of your original known_hosts file (appending .old to the filename)

Sample output:

text
# Host github.com found: line 1
.ssh/known_hosts updated.

Verifying the New Host Key

After removing the old key, the first time you connect to GitHub, you'll be prompted to verify the new host key fingerprint:

text
The authenticity of host 'github.com (140.82.112.4)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Always verify fingerprints before accepting them. GitHub's official fingerprints are:

Key TypeFingerprint
RSASHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s
ECDSASHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM
Ed25519SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU

For the latest fingerprints, refer to GitHub's official documentation.

Handling IP-Based Entries

Older SSH Versions Only

If you used OpenSSH earlier than version 8.5, you might still encounter warnings due to IP-based entries. This occurs because older versions stored host keys for both domain names and IP addresses.

Manual Cleanup of IP Entries

  1. Back up your known_hosts file:

    bash
    cp ~/.ssh/known_hosts ~/.ssh/known_hosts_backup

  2. To remove GitHub-related entries across multiple IP addresses, use:

bash
# For Linux/Git Bash:
sed -i -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31\/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi\/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==/d' ~/.ssh/known_hosts

# For macOS:
sed -i '' -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31\/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi\/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==/d' ~/.ssh/known_hosts

Platform-Specific Instructions

Windows (PowerShell)

powershell
# Remove GitHub entry from known_hosts
Remove-Item "$env:USERPROFILE\.ssh\known_hosts" -Force

# Alternatively, edit specific lines in known_hosts
notepad "$env:USERPROFILE\.ssh\known_hosts"

macOS

  1. Open your known_hosts file:
    bash
    open /Users/$USER/.ssh/known_hosts
  2. Remove lines containing github.com or related IP addresses
  3. Save the file and verify permissions remain 600

Alternative: Manual Key Update

For environments where live connections are restricted, update your known_hosts file manually:

bash
# Get GitHub's SSH keys and append to known_hosts
curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

Security Best Practices

  1. Never blindly accept host keys - Always verify fingerprints
  2. Keep your SSH client updated to receive security improvements
  3. Use modern key types like Ed25519 instead of legacy RSA
  4. Use GitHub's recommended verification methods:
    bash
    ssh -T git@github.com
# Verify message: "You've successfully authenticated"

Key Rotation is Normal

Host key rotation is a standard security practice. GitHub performed this intentionally to enhance security. Legitimate providers may occasionally update keys.