I update this article periodically with new ideas, so click here and save this blog post to your favourite Pinterest board. Pinning it will ensure you can refer to this detailed article later. PIN
Introduction
I was thinking of doing a quick fix in one of my blog posts, and I have a glitch! While pushing my changes to this blog repository, I received the response:
git push origin master @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
Did you see this message too? How to fix it? What are SSH and RSA keys and its fingerprint? I will cover these things in this concise post. I hope it will be helpful for you, or I will reread it when I am 80 :)
chatGPT explained SSH keys
I am becoming lazy. I have asked the chatGPT AI about that message.
Elena: I have got a Git issue. WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
chatGPT: If you receive a "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" error message when you try to connect to a Git repository, it means that the SSH key fingerprint for the remote host has changed since the last time you connected to it. This could be due to several reasons, such as the remote host being reconfigured or a man-in-the-middle attack.
Next, I follow and test what chatGPT suggested. We still need to investigate what is going on.
Verify the host key
You can verify the key fingerprint to ensure that it matches your expectations. To do this, you can run the command ssh-keygen -F {hostname} to see the fingerprints of the SSH keys for the host.
ssh-keygen -F github.com
You must compare the output with the fingerprints listed on the GitHub page; see GitHub’s SSH key fingerprints. If the fingerprint does not match the one you expect, then you should not connect to the remote host. GitHub suggests to add the following ssh key entries to the ~/.ssh/known_hosts file that we will not manually enter these keys when we try connecting.
Remove the old key from your known_hosts file
You can remove the old key from your known_hosts file by running the command ssh-keygen -R
ssh-keygen -R github.com
I have received confirmation that the key was deleted and backed up.
# Host github.com found: line 1 /Users/elena/.ssh/known_hosts updated. Original contents retained as /Users/elena/.ssh/known_hosts.old
Manually accept the new key
If you are confident that the new key is valid, you can manually accept it by running the command:
ssh-keyscan hostname >> ~/.ssh/known_hosts
I have got the message and typed in “yes” after checking that the GitHub’s SSH key fingerprints match with my local keys (nano ~/.ssh/known_hosts).
Test your connection
After you have resolved the issue, you should be able to connect to the remote host without any further issues.
Sounds simple? Let’s go into detail about whether I had a man-in-the-middle attack and what are SSH and RSA. As usual, I hope you will find it helpful.
Why have I got this issue?
Luckily, I did not have the “man-in-the-middle attack”. There was a change on the GitHub site, as was promptly explained in their blog post about the updated RSA SSH host key. In March 2023, GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository. The company has taken immediate action to contain the exposure and investigate the root cause and impact. The key replacement has been completed, and there is no need for ECDSA or Ed25519 users to make any changes as posted on the GitHub blog.
GitHub advises adding the RSA SSH key in your ~/.ssh/known_hosts manually or with the CURL command, which I prefer since I am a lazy person (or, perhaps, like to do it correctly). As they advised, we deleted the old key and added it to the ~/.ssh/known_hosts file after the download with curl.
# First, we delete the old key ssh-keygen -R github.com # Download and add it curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts
What are the SSH keys?
I use SSH keys to connect to my GitHub (and Bitbucket) repositories and, possibly, you too! What are these keys? SSH keys are cryptographic keys commonly used to securely access remote servers. In other words, SSH keys help establish secure connections between two computers, my home desktop and the GitHub server, using the Secure Shell (SSH) protocol. They provide a safer alternative to traditional password-based authentication. They are less vulnerable to brute-force attacks and can be revoked or replaced if compromised. They are also easy to use once set up.
SSH keys consist of a private key and a public key. The private key is kept secret and should only be known to the owner. That key I have stored on my computer. The public key can be freely distributed to anyone who needs to verify the owner’s identity.
When an SSH connection is established between two computers, the client computer sends its public key to the server, and the server uses the public key to encrypt a message that can only be decrypted using the client’s private key. This message is sent back to the client, who decrypts it using their private key, and a secure connection is established.
What is the host key fingerprint?
A host key fingerprint is a unique identifier for a host’s SSH key used to verify the host’s identity. When you connect to an SSH server for the first time, your SSH client will show you the host key fingerprint and ask you to confirm that it matches the fingerprint of the server you intended to connect to.
The host key fingerprint is a string of characters generated by applying a cryptographic hash function to the host’s SSH key. This fingerprint is usually represented as a sequence of hexadecimal digits separated by colons or spaces, such as “aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99”.
By comparing the host key fingerprint displayed by your SSH client with the fingerprint provided by the server’s administrator, you can ensure that you are connecting to the correct server and that your connection is not being intercepted by a third party attempting to impersonate the server.
Verifying the host key fingerprint when you connect to a new SSH server is crucial. Failing could leave you vulnerable to a man-in-the-middle attack, where an attacker intercepts your connection and impersonates the server to capture your login credentials or perform other malicious actions.
Creating and using SSH keys
In short, SSH keys are a secure and convenient way to authenticate with remote servers or services. Next, we will create and use SSH keys on Mac OS.
Check for Existing SSH Keys
Before creating a new SSH key, checking if you already have one is important. To do so, open a terminal and enter the following command:
ls -al ~/.ssh
If you see files with names like id_rsa and id_rsa.pub, then you already have SSH keys set up. If you still need to, you can proceed to the next step.
Generate a New SSH Key Pair
To generate a new SSH key pair, open a terminal and enter the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Moreover, ‘-b 4096’ is an option that specifies the number of bits in the key. In this case, it sets the key size to 4096 bits.
The ‘-t rsa’ option specifies that the key type is RSA. RSA is a widely-used public-key encryption algorithm commonly used for SSH key pairs.
The larger the key size, the more secure it will be, as it becomes more difficult for attackers to brute-force or crack the key. However, larger key sizes also require more processing power. They can result in slower performance, so it’s a trade-off between security and performance.
In practice, a 4096-bit RSA key is very secure. It is commonly used by individuals and organizations to protect sensitive data and secure remote access.
This command will start the key generation process. You will be prompted to enter a file name for the key pair (default is id_rsa) and a passphrase (optional but recommended).
Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter] Enter passphrase (empty for no passphrase): [Type a passphrase] Enter same passphrase again: [Type passphrase again]
Add the Public Key to the Remote Server
Once you have generated an SSH key pair, you must add the public key to the remote server you want to connect to. To do so, copy the contents of the id_rsa.pub file to your clipboard:
pbcopy < ~/.ssh/id_rsa.pub
Then log in to the remote server and add the public key to the authorized_keys file:
mkdir ~/.ssh chmod 700 ~/.ssh nano ~/.ssh/authorized_keys
Please note that chmod 700 ~/.ssh sets the permissions on the ~/.ssh directory to rwx—— (read, write, and execute for the owner only). This means that only the user who owns the ~/.ssh directory can read, write, or execute files within it.
Setting the permissions on the ~/.ssh directory to 700 is a security best practice because it limits access to the SSH keys stored in the directory to the user who owns them. This is important because SSH keys provide access to remote servers and other systems, and allowing other users or processes to read or modify them can compromise the security of your system.
By setting the ~/.ssh directory permissions to 700, you ensure that only the user who owns the directory (and therefore the SSH keys within it) can access them, which helps to protect against unauthorized access or modification of the keys.
Paste the contents of your clipboard into the authorized_keys file and save it.
chmod 600 ~/.ssh/authorized_keys
With chmod 600 ~/.ssh/authorized_keys we set the permissions on the authorized_keys file to rw——- (read and write for the owner only). Only the user who owns the authorized_keys file can read or modify it.
Setting the permissions on the authorized_keys file to 600 is also a security best practice. Only the user who owns the file (and the SSH keys) can read or modify them.
If the authorized_keys file has weaker permissions, such as rw-r–r– (read and write for the owner and read-only for everyone else), it may be possible for other users or processes to read the contents of the file, which could compromise the security of your SSH key-based authentication.
By setting the authorized_keys file permissions to 600, you ensure that only the user who owns the file (and therefore the SSH keys within it) can access them, which helps to protect against unauthorized access or modification of the keys.
Connecting to the Remote Server
Once the public key is added to the remote server, you can use SSH to connect to the server without being prompted for a password.
To connect to the remote server, open a terminal and enter the following command:
ssh username@remote_host
Replace username with your username on the remote server and remote_host with the hostname or IP address of the remote server.
If you set a passphrase for your SSH key, you will be prompted to enter it when you connect to the remote server.
Use SSH with GitHub
If you like to use an SSH key when pushing or pulling code in GitHub, you can add your SSH key to your GitHub account with these steps:
- Log in to your GitHub account and navigate to your account settings by clicking on your profile picture in the top-right corner and selecting “Settings” from the dropdown menu.
- Click “SSH and GPG keys” in the left sidebar.
- Click on the “New SSH key” button.
- In the “Title” field, give your key a descriptive name, such as “My Mac SSH key”.
- Copy your public key file (~/.ssh/id_rsa.pub) into the “Key” field.
- Click the “Add SSH key” button.
Once you’ve added your SSH key to your GitHub account, you can use it to authenticate with GitHub when pushing or pulling code over SSH.
Managing SSH Keys
To manage your SSH keys, you can use the ssh-add command to add or remove keys from the SSH agent. The SSH agent is a program that runs in the background and stores your SSH keys so you don’t have to enter your passphrase every time you connect to a remote server.
To add an SSH key to the agent, enter the following command:
ssh-add ~/.ssh/id_rsa
To remove an SSH key from the agent, enter the following command:
ssh-add -d ~/.ssh/id_rsa
You can also list the SSH keys that are currently added to the agent by entering the following command:
ssh-add -l
SSH keys are a secure and convenient way to authenticate with remote servers or services. By following the steps in this post, you should now understand how to create and use SSH keys on Mac OS. Remember to keep your private key secure and never share it with anyone.
Conclusion
With the help of chatGPT, I have fixed my SSH keys issue and can do my blogging again. I have also described briefly how to create and use SSH keys on Mac OS. I hope that this post was also helpful to you.
“Hi” to myself from the future. I do some sports and healthy eating for you to reread this post! I also hope that some people use SSH in the future as well ;)
Did you like this post? Please let me know if you have any comments or suggestions.
Git posts that might be interesting for youDisclaimer: I have used chatGPT while preparing this post, and this is why I have listed the chatGPT in my references section. However, most of the text is rewritten by me, as a human, and spell-checked with Grammarly.
References
1. GitHub’s SSH key fingerprints
About Elena Elena, a PhD in Computer Science, simplifies AI concepts and helps you use machine learning.
|