0

When I try to clone a project from our work github server, I am seeing this error. Earlier today this was no problem, but this afternoon it suddenly started happening.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:<fingerprint>.
Please contact your system administrator.
Add correct host key in /Users/<myname>/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/<myname>/.ssh/known_hosts:1
ECDSA host key for github.companysite.com has changed and you have requested strict checking.

I even tried generating a fresh key pair, but that didn't solve it. The thing is, I have no way of knowing if the servers for our github instance changed and this is a legitimate new fingerprint or if it's an attack. I do have access to the web version of github for our company. Is there some way that I can check the server's fingerprint through the web page and compare to the one I'm receiving before I copy it into that trusted hosts file?

Edit for clarification: this is a private github instance for my company, not public github.

Improve this question
2
  • Is contacting your system administrator not an option?
    – grawity_u1686
    Commented May 28, 2019 at 20:38
  • Finding my system administrator is a last resort. It's going to be an act of congress to find out who that even is.
    – jaredad7
    Commented May 28, 2019 at 20:42

1 Answer 1

Reset to default
2

I even tried generating a fresh key pair, but that didn't solve it.

The message is not talking about your key pair. It's talking about the server's key pair. (And the server's key pair changing is literally what causes the message, it can't possibly solve it.)

Is there some way that I can check the server's fingerprint through the web page and compare to the one I'm receiving before I copy it into that trusted hosts file?

I couldn't find any documentation indicating that GitHub Enterprise has such a web page. I did however find official docs indicating that it did not have such a web page in 2016 (2.3.x–2.7.x), according to this sentence:

"We strongly recommend publishing your GitHub Enterprise appliance's SSH host key fingerprints in a location that is accessible to all your end-users." which implies that it was entirely the sysadmin's responsibility to create such a web page.

Since GitHub.com still does not have an integrated SSH fingerprint list (only a manually updated article in the "help" section), I wouldn't expect GitHub Enterprise to have improved in that regard either.

So if your sysadmin has not created such a web page nor announced a hostkey change, you don't have many options left:

  • You can try to rule out network-based MITM attacks by trying several different paths and comparing the fingerprints (in case there is a MITM on just one path) – e.g. assuming the server is globally accessible, first connect directly, then connect through a commercial VPN provider, then connect through your company's internal VPN (if any), then compare the results. If they're all identical, it's probably a legitimate fingerprint.

  • You can ignore the change and connect anyway. If you are connecting within the company's own LAN, chances of a MITM attack aren't that high. (When you connect to the web site, does it have a valid TLS certificate? Or did it stop being valid at the same time the SSH hostkeys changed? Or did it never have a valid cert in the first place? This can serve as an indicator of MITM attack vs sysadmin incompetence.)

  • Please contact your system administrator.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .