Why do I have two known_hosts entries for github?

ssh

If I run git clone [email protected]:some-org/some-repo.git, I'm prompted with the following:

The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.

Obviously, I verify the fingerprint against the list at https://help.github.com/articles/github-s-ssh-key-fingerprints/, and respond yes:

Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.
...etc.

That results in two entries being added to my ~/.ssh/known_hosts file, both with the same key, both hashed.

If I confirm the key with ssh-keyscan github.com, the key matches.

But why do I have two entries in known_hosts, rather than one?


Solution 1:

Normally, the known_hosts file contains a list of the hostnames/IP addresses on every line. But this is not used when the hostnames are hashed (for simplification of the matching?) as described in the manual page for sshd:

Alternately, hostnames may be stored in a hashed form which hides host names and addresses should the file's contents be disclosed. Hashed hostnames start with a ‘|’ character. Only one hashed hostname may appear on a single line and none of the above negation or wildcard operators may be applied.

So to answer your question,

But why do I have two entries in known_hosts, rather than one?

One of them is github.com and the other 192.30.253.113 exactly as you confirmed in the prompt

Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.

If you turn the known hosts hashing off (there is no good reason to do that), you will get only one line such as I have:

github.com,192.30.252.128 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

Related

Trying to proxy HTTPS, but getting: An unexpected TLS packet was received
How to Resize RAID partitions on Ubuntu Server 16.04
Nginx: redirect HTTPS site to www HTTPS, need certificate?
Raid 5 Recovery Process
AWS CodeBuild script fails s3 sync with AccessDenied
quote only if variable is non-empty
Zabbix: What is the difference between `HostMetadata` and `HostMetadataItem`?
Can I overwrite, what `diff` means for a task?
Explicitly empty groups in Ansible
Postfix: Verify all outgoing TLS connections are being established properly
Feeding Multiline STDIN Input to Command
ssh restrictions for user authentication