3

Sometimes, when I connect over SSH to a server that is not in my known hosts file, ssh gives me the message:

The authenticity of host '[domain] ([ip_address])' can't be established.
RSA key fingerprint is [fingerprint].
Are you sure you want to continue connecting (yes/no)?

If I select 'yes', then I get the message:

Warning: Permanently added '[domain]' (RSA) to the list of known hosts.

But for some other servers, (e.g. github.com) I am not prompted to continue, and instead I immediately get the following message, which is phrased slightly differently:

Warning: Permanently added the RSA host key for IP address '[ip_address]' to the list of known hosts.

What causes this difference in behaviour? And more importantly, when I am not prompted, do I need to manually check the key that has been added to the known_hosts file before continuing to work with the server?

In both cases I am authenticating via public-key. I'm running OS X 10.10.3, using the system-installed OpenSSH.

Improve this question
2
  • yes, that's life!
    – theoden8
    Commented Aug 4, 2015 at 12:58
  • I'm guessing it is because large sites like github use multiple servers which share a domain, but have differant host keys.
    – Frank Thomas
    Commented Aug 4, 2015 at 13:32

2 Answers 2

Reset to default
3

This is probably caused by the fact that these sited have their ssh fingerprint stored in DNS so they do not bother users with verifying the keyse anymore.

The feature is called SSHFP record. You can verify this using ssh-keygen -r github.com

Improve this answer
3
  • Thanks! It looks as though dig SSHFP github.com is the command you need for querying the DNS records, though. The command you quote is I think for generating such records.
    – Rich
    Commented Aug 4, 2015 at 14:15
  • Might also be worth mentioning the VerifyHostKeyDNS ssh config setting, which needs to be set correctly for the DNS to be queried for SSHFP. This seemed to be switched off by default in my configuration.
    – Rich
    Commented Aug 4, 2015 at 14:16
  • Thanks for mentioning this @Rich. I have this option also disabled by default. Anyway my and your command does both lookup. Storing is more complicated
    – Jakuje
    Commented Aug 4, 2015 at 14:50
2

Turns out I'm just an idiot.

Whilst, as Jakuje states, SSHFP does allow sites to store their public key fingerprint in their DNS records, in this instance the key was already in the known-hosts file, under the domain name, (which I discovered by adding the -v debug flag to my ssh command).

As the informational message I received explains, a new line was being added to the file for the IP address being used.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .