How does SSH host verification for github.com provide any value?

zoran119

6/20/24, 6:39 AM

Running git clone [email protected]/repo.git warns me of a potential man-in-the-middle attack when GitHub change their SSH key, and that's cool. I then get the new key by running ssh-keyscan -t rsa github.com and carry on cloning the repo.

Both of these commands run against the same domain. I'm thinking that if the attacker got me to connect to their server to clone, they can just do the same for the ssh-keyscan call.

What am I missing here? Should I not run ssh-keyscan blindly and verify the new key some other way? Or is this verification not doing much for cases like GitHub? Or is there some other class of attack that this process protects me against?

2 + 0

ssh

ssh-keygen

ssh-keys

Score:2

Server

HBruijn

6/20/24, 7:35 AM

The idea is that github (or any other remote server) changing their keys is strange and something you would follow up manually.

Rather than automatically accepting, downloading and deploying the new public / server key(s) over the potential compromised ssh channel, you download the new keys and/or verify their fingerprints using an independent channel ; for example by going to their https website https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints where the HTTPS certificate chain ensures that no man-in-the-middle is modifying the data transmitted over that connection.

Either download the public keys directly and add them to your ~/.ssh/known_hosts to avoid this:

ssh [email protected]
The authenticity of host 'github.com (140.82.121.4)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
ECDSA key fingerprint is MD5:7b:99:81:1e:4c:91:a5:0d:5a:2e:2e:80:13:3f:24:ca.
Are you sure you want to continue connecting (yes/no)?

Or before you accept : verify that the offered fingerprint matches what is published.

+ 0

Score:1

Server

pedroapero

6/20/24, 7:26 AM

It is the «trust-on-first-use» scheme. The value is that you only risk a man-in-the-middle attack the first time you see the private key (plus ifever the key is rotated). If you work on several machines, you can replicate your ~/.ssh/known_hosts file.

To my knowledge, Github only rotated their SSH key once, and that was for a reason.

More details: https://en.wikipedia.org/wiki/Trust_on_first_use

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How does SSH host verification for github.com provide any value?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.