The authenticity of host 'github.com (192.30.252.128)' can't be established
Solution 1
Danger ahead, unless you actually don't care about secure communication with github on your local account
Ssh rightly complains that they can't make sure you are indeed connecting to github's server through a secure channel. That might be why github is recommending https access, which works out-of-the-box thanks to its public key infrastructure.
Now, you can have it work, but be aware that it involves caching a public key fingerprint which, if done incorrectly, provides an attacker permanent man-in-the-middle attack.
How to proceed safely?
Option 1 is use https url instead of ssh.
Option 2 is have ssh access work.
Okay, show me option 2
- Do
ssh -T [email protected]
but don't just type "yes". - Check if the hash that is shown matches one of the hashed shown in https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ (in your question it does, and see, the page is fetched through https for the same public key infrastructure reasons).
If the hash matches, then connection is indeed safe you can answer "yes" to ssh's question.
Okay, I checked and typed yes, how do I know it works?
Ssh will show something like:
Warning: Permanently added the RSA host key for IP address '192.30.252.128' to the list of known hosts.
After that, you will either see a message like
Permission denied (publickey).
which is good but shows that you need further configuration, or simply
Hi yourlogin! You've successfully authenticated, but GitHub does not provide shell access.
which means that all works well and you can retry your first operation.
Notice that if you retry the same ssh command, it should no longer ask the question.
Solution 2
Run ssh -o StrictHostKeyChecking=no [email protected]
in command prompt to add the authenticity to your known_hosts. Then you won't get the prompt the next time.
Solution 3
I solved my problem by running
ssh-keyscan github.com >> ~/.ssh/known_hosts
in command prompt. This command will add authenticity to your known_hosts.
Solution 4
You sure you're not accidentally logged in as a different user (this happens to me when I sudo -s / login as root and forget my GitHub account isn't linked to that user).
Solution 5
I landed here because I was getting this error and not understanding why. It turns out I had a typo in my npm command:
npm install -P -E @angular/common @angular/compiler @angular/core @angular/forms
@angular/platform-browser @angular/router @angular/animations@ angular/platform-browser-dynamic
Notice how the end of the line reads @angular/animations@ angular/platform-browser-dynamic
.
NPM interprets the last "package" as being a github repo and that is where the error comes from.
I know this does not actually answer the question but I put it up just in case anyone else encounters this by making a similar mistake.
led
Updated on July 08, 2022Comments
-
led almost 2 years
I am trying to use
sudo npm install
to install all my dependencies for an application written in nodejs. My OS is Ubuntu 13.04
However, I keep getting this warning:
The authenticity of host 'github.com (192.30.252.131)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:1d:52:13:1a:21:2d:bz:1d:66:a8. Are you sure you want to continue connecting (yes/no)?
Has anyone encountered this warning before? Is it possible to authenticate and store the fingerprint locally? So I won't need to authenticate again when I enter sudo npm install another time.
Right now, I am unable to enter anything, not even "yes". My terminal just gets stuck, i have to press Ctrl+C to terminate.
-
Alastair over 9 yearsSome bloody shell script had me logged in as
root
haha - thanks, @matt-pavelle -
payne8 over 8 yearsThe strict checking of host keys is for security purposes. If someone is able to spoof a dns record for github.com (or any other host you are trying to connect to) then this warning would actually catch the spoofing. I would suggest not turning it off.
-
Stéphane Gourichon over 8 yearsThis is wrong and dangerous. See @payne8's comment below. See my other answer.
-
Lukas Liesis over 8 yearsif you get permission denied (publickey) go to github.com/settings/ssh and add your ssh key there
-
Admin about 8 yearsAgreed with @Stéphane Gourichon that doing this blindly would be dangerous, as it seems to negate the purpose of the prompt. His answer points to URL where to verify hash: help.github.com/articles/what-are-github-s-ssh-key-fingerprints (taken from his answer, which should IMO definitely be the answer and upvoted), though I admit I always wonder if someone could spoof the DNS record, could they not also spoof the verification page.
-
Stéphane Gourichon about 8 years@ibgib Thanks. The verification page offers significantly better protection against spoofing (that is, unless the user ignores browser alerts, which would be similar to blindly type "yes" at the ssh key verification prompt). The verification page is secured through https and all browsers doing https properly have a list of trusted root certificates which are meant to guarantee that github server certificate is genuine (for details, including limitations, see Public key infrastructure). It's not perfect but much harder to spoof.
-
Stéphane Gourichon about 8 yearsAgreed with @payne8: do not disable strict host key checking, it would disable an important security warning! See the answer "Danger ahead, unless you actually don't care about secure communication with github on your local account" for more.
-
urig over 7 yearsWhere do I get my ssh key so I can add it?
-
Stéphane Gourichon over 7 years@urig the page I mentioned (github.com/settings/ssh) has a link to generate a GPG key and add it to your account
-
Surya over 5 yearsWhat if the hash shown doesn't match with the hash in help.github.com/articles/what-are-github-s-ssh-key-fingerprints
-
Stéphane Gourichon over 5 years@Surya if the hash does not match, it means that the server you're communicating with sent a different key. Github would probably not change keys without a salient public warning. So, the server is a different server impersonating github server. It could be an evil attacker and/or a corporate proxy. If this happened to me, I'd refuse key, abort connection and investigate. Did you observer that, or is it a theoretical question?
-
Surya over 5 yearsI observed that but looks like it was a proxy configured at my office. So we informed the IT team and now things are working fine. Thanks for clarifying :D
-
Viperet over 4 yearsPlease use
ssh -T [email protected]
instead ofssh github.com
if you always getPermission denied (publickey).
-
Stéphane Gourichon over 4 yearsViperet's addition is good.
-T
just avoids an unrelated error message. Addinggit@
is not necessary to show the hash, but in most setup is necessary toget the proper "Hi" on successful authentication; Thanks @Viperet. -
mgPePe about 4 yearscan you please clarify what exactly was wrong with that line? I suspect I have a similar problem
-
MarioDS about 4 years@mgPePe there was a space between
@
and the NPM scope name, which makes NPM interpret it as not a scope but a github account name. -
mgPePe about 4 yearsI see. I had a similar problem too!
-
AndruWitta over 2 yearsI chose Option 1 and used this link to achieve it - using MINGW64 on Win10: stackoverflow.com/a/16330439/2567114
-
Vittore Marcas over 2 yearsThanks! that works for me via typing "yes".