4

When I attempt git push origin, I get the following error: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:7zYnlSpxx6z0t477lR5vNYfelxewzWwu8N1X6v+wsZA.
Please contact your system administrator.
Add correct host key in /home/mako/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/mako/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/home/mako/.ssh/known_hosts" -R "github.com"
RSA host key for github.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

This isn't super alarming in itself; it just means the ssh key observed for "github.com" is different this time from the last time I connected.

When I look online to figure out if GitHub has changed their keys lately, I see that their RSA SHA256 fingerprint should be SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Screenshot in case that page change: Screenshot showing GitHub's ssh key fingerprints

When I run ssh-keygen -l -f ~/.ssh/known_hosts -F github.com I get

# Host github.com found: line 1
github.com RSA SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8

The fingerprint saved in my known_hosts file matches the one advertised in GitHub's help pages, and does not match the one I observe when I try to push my work.

At this point, should I suppose that something bad is happening? What should I do about it? What further diagnostics should I run?

Update:

On a different network now (my home wifi), and I now I observe the advertised fingerprint. My impression is that this means there's "something wrong" with the wifi at the coffee-shop I was at earlier.

  • I'm taking for granted that I shouldn't attempt to bypass the normal ssh protections. If they're really inconvenient I guess I should just use a VPN or my own hotspot?
  • Should I treat that wifi network as suspect in other ways? Should I trust that my (https) web is secure?
  • Is this a problem that I should ask/expect the business owner to fix?
ShapeOfMatter
  • 523
  • 2
  • 12
  • I get `SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8` when I run `ssh-keyscan github.com | ssh-keygen -lf -`. Are you still getting the wrong key? Can you try from another location? If you're connecting from a corporate network is it possible they've set up SSH interception recently? – AndrolGenhald May 03 '19 at 18:45
  • I am still getting the wrong key, both with `git push` and with `ssh-keyscan`. I'm at a coffee shop in my city; I'll try again from home in an hour or two. – ShapeOfMatter May 03 '19 at 19:00
  • 1
    "I'm at a coffee shop in my city" - on an untrusted public wifi network? If I had a dollar for every compromised coffee shop public wifi network, I'd be a very rich man... – dwizum May 03 '19 at 19:29
  • * updated question with details at home. – ShapeOfMatter May 03 '19 at 21:01
  • @ShapeOfMatter Is there anything else you'd like me to add to my answer? – forest Mar 07 '21 at 02:18

1 Answers1

5

Yes, what you are seeing is very likely a man-in-the-middle attack. Without more information on your exact situation, all that we can tell from what you've said is that this specific hotspot is intercepting your SSH connections and presenting you with a different fingerprint. I suggest you try connecting to other SSH servers that you have already trusted fingerprints for (but not completing the connection, for obvious reasons) and seeing if the same behavior occurs.

I'm taking for granted that I shouldn't attempt to bypass the normal ssh protections. If they're really inconvenient I guess I should just use a VPN or my own hotspot?

Yes, either use an end-to-end encrypted VPN (OpenVPN and IPsec are both good protocols for this), or your own Wi-Fi hotspot, encrypted using WPA2-CCMP with a strong password. You don't need to buy an expensive commercial VPN for this. You could configure your router to act as a VPN server and connect to it from the public Wi-Fi, ensuring that you are always using your home ISP's network.

Should I treat that wifi network as suspect in other ways? Should I trust that my (https) web is secure?

Consider it to be compromised. You can generally trust websites using HTTPS because their certificates are signed using a trusted Certificate Authority, but an attacker on the network will be able to tell what website you are visiting and would be able to tamper with any unencrypted or weakly encrypted connections. They may also be able to exploit unauthenticated automatic updates as well.

Is this a problem that I should ask/expect the business owner to fix?

It might be worthwhile alerting them, but remember that they most likely don't even know what SSH is, much less what to do about a potential MITM attacker. It's not like the business owner can do anything about it anyway, even if they are tech-savvy. Even if they are not using open Wi-Fi and have set a strong password, anyone who has that password can treat the Wi-Fi as if it were completely open and unencrypted. This will change when WPA3 with its opportunistic encryption becomes standard, but until then, there's not much that can be done. It's not like you can expect them to track down the source.

forest
  • 64,616
  • 20
  • 206
  • 257