How does SSH host verification for github.com provide any value?

Question

Running git clone git@github.com/repo.git warns me of a potential man-in-the-middle attack when GitHub change their SSH key, and that's cool. I then get the new key by running ssh-keyscan -t rsa github.com and carry on cloning the repo.

Both of these commands run against the same domain. I'm thinking that if the attacker got me to connect to their server to clone, they can just do the same for the ssh-keyscan call.

What am I missing here? Should I not run ssh-keyscan blindly and verify the new key some other way? Or is this verification not doing much for cases like GitHub? Or is there some other class of attack that this process protects me against?

HBruijn · Answer 1 · 2023-06-20T07:46:31.277

The idea is that github (or any other remote server) changing their keys is strange and something you would follow up manually.

Rather than automatically accepting, downloading and deploying the new public / server key(s) over the potential compromised ssh channel, you download the new keys and/or verify their fingerprints using an independent channel ; for example by going to their https website https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints where the HTTPS certificate chain ensures that no man-in-the-middle is modifying the data transmitted over that connection.

Either download the public keys directly and add them to your ~/.ssh/known_hosts to avoid this:

ssh git@github.com
The authenticity of host 'github.com (140.82.121.4)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
ECDSA key fingerprint is MD5:7b:99:81:1e:4c:91:a5:0d:5a:2e:2e:80:13:3f:24:ca.
Are you sure you want to continue connecting (yes/no)?

Or before you accept : verify that the offered fingerprint matches what is published.

pedroapero · Answer 2 · 2023-06-20T07:31:57.490

1

It is the «trust-on-first-use» scheme. The value is that you only risk a man-in-the-middle attack the first time you see the private key (plus ifever the key is rotated). If you work on several machines, you can replicate your ~/.ssh/known_hosts file.

To my knowledge, Github only rotated their SSH key once, and that was for a reason.

More details: https://en.wikipedia.org/wiki/Trust_on_first_use

edited Jun 20 '23 at 07:31

answered Jun 20 '23 at 07:26

pedroapero

131
1
6

How does SSH host verification for github.com provide any value?

2 Answers2