Thursday, September 1, 2022

[SOLVED] Fingerpints for SSH do not match with Gitlab.com

Issue

I added an ED25519 public key to my account on gitlab.com. I then set up my .ssh/config to use the private key for Host gitlab.com:

Host gitlab.com gitlab.*.com
    User git
    IdentityFile ~/.ssh/gitlab_ed25519

When I do a git fetch, I am presented with the fingerprint of the key:

The authenticity of host 'gitlab.com (35.231.145.151)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

I then attempted to verify this matches the public key on my machine:

$ ssh-keygen -lf ~/.ssh/gitlab_ed25519.pub
256 SHA256:Gc/kdTZNJJ0AkdRuZmXOnZw77mS2+osIHQd0pRwJxZA comment (ED25519)

These don't match. Does it matter that, even though I added an Ed25519 key on gitlab.com, that their SSH server is still reporting a fingerprint for an ECDSA key? Shouldn't it say that the fingerprint is from ED25519 instead? What am I doing wrong? Why do the fingerprints not match?


Solution

When you run ssh-keygen -lf, you're showing the fingerprint for your key. The remote host, GitLab, also has one or more keys which differ from yours. Your key is used to identify you to the remote server and GitLab's keys are used to identify it (the server) to you, so necessarily they'll differ.

If you want to verify the fingerprints, you can go to https://gitlab.com/help/instance_configuration to find them for your GitLab and verify that they're correct.

The reason you're seeing an ECDSA key being offered is that OpenSSH prefers ECDSA over Ed25519 keys. This is less a comment on the security, as most folks agree that Ed25519 keys are just as secure (or more) as 256-bit ECDSA keys, and more for backwards compatibility. When OpenSSH added Ed25519 keys, if they had been prioritized over ECDSA keys, then a changed host key error would show up when logging in the next time.

If you want to prefer Ed25519 keys for gitlab.com, you can add the following directive to your entry in ~/.ssh/config:

HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256


Answered By - bk2204
Answer Checked By - Mildred Charles (WPSolving Admin)