Continual github.com host key changes?

I recently began getting nearly continual warnings about host key mismatches in my .ssh/known_hosts file. Here’s my latest warning, probably the third or fourth just this morning:

% git pull
Warning: the ECDSA host key for 'github.com' differs from the key for the IP address '140.82.113.3'
Offending key for IP in /home/skip/.ssh/known_hosts:36
Matching host key in /home/skip/.ssh/known_hosts:40
Are you sure you want to continue connecting (yes/no)? 

I deleted the “offending” key from line 36 and repeated the attempt to pull:

% git pull
Warning: the ECDSA host key for 'github.com' differs from the key for the IP address '140.82.114.4'
Offending key for IP in /home/skip/.ssh/known_hosts:23
Matching host key in /home/skip/.ssh/known_hosts:39
Are you sure you want to continue connecting (yes/no)? 

Now delete the offending line at line 23 and have another go:

remote: Enumerating objects: 40, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 40 (delta 20), reused 24 (delta 20), pack-reused 11
Unpacking objects: 100% (40/40), 123.57 KiB | 1.60 MiB/s, done.
From github.com:python/cpython
   904af3de2b..82f1a6edfb  3.10       -> upstream/3.10
   e8d41eea7a..e88f9787ab  3.9        -> upstream/3.9
   fdcc46d955..48744db70e  main       -> upstream/main
Updating 904af3de2b..82f1a6edfb
Fast-forward
 Doc/faq/programming.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

One more time:

% git pull
Warning: the ECDSA host key for 'github.com' differs from the key for the IP address '140.82.112.3'
Offending key for IP in /home/skip/.ssh/known_hosts:27
Matching host key in /home/skip/.ssh/known_hosts:38

Am I doing something wrong? I never used to encounter such problems. What might have changed? I did add a new key to my GitHub account a few days ago for access from a Google Cloud shell. I can’t see how that would have any effect on access from my laptop. Oddly enough, GitHub tells me that the key for my laptop was added just a few weeks ago. I have 2FA enabled for my account, so I’m not too worried about a break-in, but maybe I should delete both my keys and add new ones?

The message is about the host key the GitHub server authenticates with, not yours, so it’s definitely not about you adding a new key. I don’t know why your known_hosts file would contain multiple entries for GitHub, maybe changing IPs?

Either way, the important part is that the actual host key is correct, see GitHub's SSH key fingerprints - GitHub Docs. If it’s not one of those something is messing with your connection. If the key is correct it’s probably just something weird in your configuration.

You can try getting more information (including the key fingerprints) by trying SSH connections in verbose mode:

ssh -vT git@github.com

Thanks, yeah I was just tossing out anything I could think of which might have changed. Now that I posted this question things seem to have settled down. I’ve successfully pulled from the repo a few times without any complaints. I guess I’m good…

1 Like

That link mentions a key that was discontinued in Nov 16, that might explain the weird issue that was eventually resolved by clearing the entries. And you’ll notice the warning is for different IP addresses. So it’s likely you had an entry for github.com itself, and an entry for each of the IPs you used to access it before - maybe you missed one of them when you cleared the relevant entries.

You could run ssh-keyscan github.com | ssh-keygen -l -f - if you just want to check the fingerprints in a nice format and verify they match the link posted above.