2

I am wondering how those RSA fingerprints work. I have a GitHub account and created an RSA key pair to set up an ssh connection. Then followed the instruction... First time I connect to my GitHub it gives me and RSA fingerprint SHA256:nThbkt6JwfF............ Ok, I am doing this for the learning process so I google what this means and try to generate a fingerprint from my RSA key - and it should match to the one from my GitHub account, right? But it does not, what I get after using : ssh-keygen -lf ~/.ssh/id_rsa is not the same its like SHA256: t6Rjff8djE........

Am I doing something wrong here in my approach to see if the fingerprint given is legitimate?

LeonSteinn
  • 21
  • 2

1 Answers1

1

SSH requires two public-private keypairs. One on server side and one on the client side. In simple therms, when you want to encrypt something going to the server you are using server public key (it is decrypted on the server side using server private key). When server sends something to you it is using your public key (you are decrypting it using your private key stored on your machine).

Server is presenting its fingerprint (not the fingerprint of your certificate). So you can validate the public key presented by the server. Usually fingerprints are cached so the ssh will not prompt you next time.

When you configure your public key on the github, you are basically telling github what key you'll be using for authentication and key exchange. Github “trust” that this key is coming from you cause you are authenticating yourself with your password to upload it. In theory only you can decrypt your data cause only you have the corresponding private key. By uploading the key you're establishing a trust relationship between your machine and the GitHub server.

If the fingerprint of the key that you have uploaded is different than the fingerprint of the key on your machine is most probably caused by:

  1. Fingerprinting wrong keys.
  2. Original key was overwritten by running generation command multiple times.
  3. Confusing fingerprint coming from the server (server fingerprint) with your own certificate fingerprint.
nethero
  • 482
  • 2
  • 6
  • 1
    +0.5: the important point is that the server's key and the user's key are separate and different. However in SSH as used in this century, i.e. SSHv2, neither one is used to encrypt. Encryption is done using an ephemeral-DH key agreement; the server key is used to _sign_ for _authentication_ always, and the user key the same when used but it has alternatives while the server does not. Also standard SSH does not use certificates, although OpenSSH has a custom and rare option. – dave_thompson_085 Aug 21 '20 at 06:04
  • You are absolutely right and it is my mistake. I'm perfectly aware of the key exchange and I'll edit my post. Moder SSH also alows for ECDHE and ECDSA as well. – nethero Aug 21 '20 at 18:34