How can I add a host key to the SSH known_hosts
file securely?
I'm setting up a development machine, and I want to (e.g.) prevent git
from prompting when I clone a repository from github.com
using SSH.
I know that I can use StrictHostKeyChecking=no
(e.g. this answer), but that's not secure.
So far, I've found…
-
GitHub publishes their SSH key fingerprints at GitHub's SSH key fingerprints
-
I can use
ssh-keyscan
to get the host key forgithub.com
.
How do I combine these facts? Given a prepopulated list of fingerprints, how do I verify that the output of ssh-keyscan
can be added to the known_hosts
file?
I guess I'm asking the following:
How do I get the fingerprint for a key returned by ssh-keyscan
?
Let's assume that I've already been MITM-ed for SSH, but that I can trust the GitHub HTTPS page (because it has a valid certificate chain).
That means that I've got some (suspect) SSH host keys (from ssh-keyscan
) and some (trusted) key fingerprints. How do I verify one against the other?
Related: how do I hash the host portion of the output from ssh-keyscan
? Or can I mix hashed/unhashed hosts in known_hosts
?
Best Answer
The most important part of "securely" adding a key to the
known_hosts
file is to get the key fingerprint from the server administrator. The key fingerprint should look something like this:In the case of GitHub, normally we can't talk directly to an administrator. However, they put the key on their web pages so we can recover the information from there.
Manual key installation
1) Take a copy of the key from the server and get its fingerprint. N.B.: Do this before checking the fingerprint.
2) Get a copy of the key fingerprint from the server administrator - in this case navigate to the page with the information on github.com
3) Compare the keys from the two sources
By placing them directly one above the other in a text editor, it is easy to see if something has changed
(Note that the second key has been manipulated, but it looks quite similar to the original - if something like this happens you are under serious attack and should contact a trusted security expert.)
If the keys are different abort the procedure and get in touch with a security expert
4) If the keys compare correctly then you should install the key you already downloaded
Or to install for all users on a system (as root):
Automated key installation
If you need to add a key during a build process then you should follow steps 1-3 of the manual process above.
Having done that, examine the contents of your
github-key-temp
file and make a script to add those contents to your known hosts file.You should now get rid of any
ssh
commands which haveStrictHostKeyChecking
disabled.