Home > Back-end >  Why can I not ssh into github?
Why can I not ssh into github?

Time:01-28

I cannot ssh into github no matter what I do. All attempts appear to decline my key pair. I am able to ssh into my home server just fine, so I assume that this issue is with github specifically.

This is what I've tried so far. All of these methods fail with the same issue:

  • I have tried logging in using the key produced by my script below as a deploy key in github
  • I have tried using a similar set of steps as that script and instead added the key to the list of my account SSH Keys
  • I have tried using different algorithms (ecdsa, ed25519, rsa, etc...)
  • I have tried logging in via my own machine (linux mint) and my home server (ubuntu)
  • I have tried adding the key to the ssh-agent using ssh-add

I checked the SHA256 fingerprint in github for the key against the output of ssh -v below and it matches

Local Machine

This is my ~/.ssh/config:

Host github.com
        User git
        HostName github.com
        IdentityFile ~/.ssh/github_ecdsa

Here, I have output from running ssh -vT [email protected]

OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/[REDACTED]/.ssh/config
debug1: /home/[REDACTED]/.ssh/config line 1: Applying options for github.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to github.com [140.82.113.3] port 22.
debug1: Connection established.
debug1: identity file /home/[REDACTED]/.ssh/github_ecdsa type 2
debug1: identity file /home/[REDACTED]/.ssh/github_ecdsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/[REDACTED]/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:5ip0RVW9UxjapS8EiRiO6d9k SJArVU0NVXDSHjTAVU
debug1: load_hostkeys: fopen /home/[REDACTED]/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/[REDACTED]/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_get_authentication_socket: Connection refused
debug1: Will attempt key: /home/[REDACTED]/.ssh/github_ecdsa ECDSA SHA256:[REDACTED] explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/[REDACTED]/.ssh/github_ecdsa ECDSA SHA256:[REDACTED] explicit
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
[email protected]'s password: 

I can see that, near the bottom, it offered the key I configured, but because it moved right on to password authentication, I am assuming it declined my key.

My Home Server

I have the following script:

#!/bin/bash

# generate a key pair
repo=$1
ssh-keygen -t ed25519 -N "" -f .deploy-keys/$repo >/dev/null

# give time to add the public key to github
cat .deploy-keys/$repo.pub
read

# clone using an ssh command that has the identity file set to the private key
git -c core.sshCommand="ssh -vi .deploy-keys/$repo" clone [email protected]:username/$repo

At the read step, I'll do the following:

  1. copy the contents of the public key.
  2. go to https://github.com/username/repo/settings/keys/new
  3. paste the contents into the big box, give it a name, and save
  4. press enter to continue on the script

The verbose output for this one is here (I truncated most of it this time):

...
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: .deploy-keys/[REDACTED] ED25519 SHA256:[REDACTED] explicit
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
[email protected]'s password: 

Again, I can see that it found my key. What gives? I've never had the problem in the past. I've used Windows, MacOS, and Linux machines for this before, but never has this issue been so persistent.

UPDATE

I deleted my known_hosts file, and then added the github fingerprints from the link provided by Chris.C to be safe. I noticed that when I ssh to my home server, I see this fingerprint:

ED25519 key fingerprint is SHA256:5ip0RVW9UxjapS8EiRiO6d9k SJArVU0NVXDSHjTAVU.

And then when I try to ssh to [email protected], it shows me an error with the same fingerprint:

The fingerprint for the ED25519 key sent by the remote host is
SHA256:5ip0RVW9UxjapS8EiRiO6d9k SJArVU0NVXDSHjTAVU.

It appears that my router loopback masquerading is somehow messed up. I confirmed that this fingerprint is the actual one for my home server, and it looks like my router is sending all ssh requests to that server instead of outside the network. Funny thing is, I have similar rules defined for 80 and 443, but those two ports do not experience the same issues. Odd behavior, but my problem is out of scope now for the question I originally asked. Thanks for the help!

CodePudding user response:

Your log shows

debug1: Server host key: ssh-ed25519 SHA256:5ip0RVW9UxjapS8EiRiO6d9k SJArVU0NVXDSHjTAVU

However github should have below fingerprints.

SHA256: DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)

So you're connecting to the wrong github server...

  • Related