On my client I am attempting to run:
git clone gitosis@DevServer:gitosis-admin.git
I get a warning:
The authenticity of host '10.1.1.13 (10.1.1.13)' can't be established. RSA key fingerprint is a2:c3:fd:d7:f7:75:df:dd:49:64:ce:64:cc:98:e6:2c. Are you sure you want to continue connecting (yes/no)?
It appears to be picking up the public key from:
/etc/ssh/ssh_host_rsa_key.pub
I want it to use the key located in:
/srv/gitosis/.ssh/authorized_keys
How do I get my server to hand out the correct public key?
I think you may be misinterpreting the messages from ssh. The following...
...has nothing to do with your
authorized_keys
file. You're getting this because you have never connected to the given host before, so the corresponding host is not in your inknown_hosts
file. This is perfectly normal behavior when you first connect to a remote host (because in the most common case you will not have a priori knowledge of the appropriate host key).The
authorized_keys
file is only used by the remote host to determine what ssh client connections to accept, based on the private key they present when they connect.I was able to fix this by reinitializing the admin repository with the command:
This only worked after I removed the existing repository:
Reinitializing the repository without removing it first wouldn't update the
authorized_keys
file. If you had generated a new key, you'd be stuck using the old one.So, I was searching for a mundane way to bypass the unkown host manual interaction of cloning a git repo as shown below and it should work for you as well. The fingerprint you are seeing is from the key provided by the remote host. You are getting this question/warning because the remote host does not have an entry in your known_hosts file. The below will help you understand what is happening:
Note the RSA key fingerprint...
So, this is a SSH thing, this will work for git over SSH and just SSH related things in general...
First, install nmap on your daily driver. nmap is highly helpful for certain things, like detecting open ports and this-- manually verifying SSH fingerprints. But, back to what we are doing.
Good. I'm either compromised at the multiple places and machines I've checked it-- or the more plausible explanation of everything being hunky dory is what is happening.
That 'fingerprint' is just a string shortened with a one way algorithm for our human convenience at the risk of more than one string resolving into the same fingerprint. It happens, they are called collisions.
Regardless, back to the original string which we can see in context below.
So, ahead of time, we have a way of asking for a form of identification from the original host.
At this point we manually are as vulnerable as automatically-- the strings match, we have the base data that creates the fingerprint, and we could ask for that base data (preventing collisions) in the future.
Now to use that string in a way that prevents asking about a hosts authenticity...
The known_hosts file in this case does not use plaintext entries. You'll know hashed entries when you see them, they look like hashes with random characters instead of xyz.com or 123.45.67.89.
The first comment line infuriatingly shows up-- but you can get rid of it with a simple redirect via the ">" or ">>" convention.
As I've done my best to obtain untainted data to be used to identify a "host" and trust, I will add this identification to my known_hosts file in my ~/.ssh directory. Since it will now be identified as a known host, I will not get the prompt mentioned above when you were a youngster.
Thanks for sticking with me, here you go. I'm adding the bitbucket RSA key so that I can interact with my git repositories there in a non-interactive way as part of a CI workflow, but whatever you do what you want.
So, that's how you stay a virgin for today. You can do the same with github by following similar directions on your own time.
I saw so many stack overflow posts telling you to programmatically add the key blindly without any kind of checking. The more you check the key from different machines on different networks, the more trust you can have that the host is the one it says it is-- and that is the best you can hope from this layer of security.
WRONG
ssh -oStrictHostKeyChecking=no hostname [command]WRONG
ssh-keyscan -t rsa -H hostname >> ~/.ssh/known_hostsDon't do either of the above things, please. You're given the opportunity to increase your chances of avoiding someone eavesdropping on your data transfers via a man in the middle attack-- take that opportunity. The difference is literally verifying that the RSA key you have is the one of the bona fide server and now you know how to get that information to compare them so you can trust the connection. Just remember more comparisons from different computers & networks will usually increase your ability to trust the connection.