Git will not accept my password

My git broke today somehow. Tried to push to a repo I’ve been working on just fine for weeks, and suddenly got a “REMOTE HOST IDENTIFICATION HAS CHANGED!” message.
I’m a new user and the forum thinks i’m posting spam links I guess, so from now on below, I will use “githubcom”, just pretend there is a period before “com”.

I did:

ssh-keygen -R githubcom

It did a thing, then I tried to push again and get:

The authenticity of host ‘githubcom (’ can’t be established.
ECDSA key fingerprint is SHA256:lepP9TaVzAR5aUTBvGePsIAknE4SuZTUlJyc8BgtqUU.
Are you sure you want to continue connecting (yes/no)?

I typed yes and got:

Warning: Permanently added ‘githubcom,’ (ECDSA) to the list of known hosts.
git@githubcom’s password:

But it won’t accept my password.

And now whenever I try to push or pull any repo, it asks for “git@githubcom’s password:”. I’ve tried every password I know, and nothing works.
If I type my password in 3 times it says “git@githubcom: Permission denied (publickey,password).”
I’ve reset my github password 3 times.
I’ve removed git from Windows Credential Manager.
I’ve generated and added a new SSH key to github.
I downloaded git for windows. Added the new key to ssh-agent.
Same issue with ssh -T git@githubcom and ssh -vT git@githubcom
I also tried creating a personal access token, but that didn’t work either.

I have no idea how this happened and now I’m stuck and can’t work.

:wave: Welcome!

I think that it looks as though it’s looking for the password you set on your SSH key as opposed to your GitHub password.

1 Like

This looks bad. That key fingerprint is not one of those that Github publishes for their SSH host keys. Unless a Github staff member here can provide an update to the documentation, we can say that whatever SSH server is answering there is NOT actually Github.

I don’t know why that is, possible reasons range from “whoops” (like misconfiguration in your network, or a DNS caching issue in case Github changed IPs) to downright evil (MITM attack). :confused:

Unless you can pinpoint a reason you should consider any password/token you entered compromised and change them.

Unfortunately not, that’s a login prompt. Which together with the unknown fingerprint leads to a worrying conclusion.

1 Like

That was at my office. When I got home, I tried again and got the warning again but this time it showed the correct fingerprint that github says it should be. So I did ssh-keygen -R, etc. again and continued to add to known hosts and everything worked as normal, never got asked for any password.

I’m back at the office now and of course got the warning again, and again with the wrong fingerprint. (I’m not going to accept it this time.) I’ve contacted the guy who runs all the server stuff to see what he thinks.

That is a valid github IP, but it’s different than what I had saved before all this mess. (That was also a valid github IP.) I don’t know if that means anything.

1 Like

Huh, with that context I wonder if they recently installed one of those misguided “security” appliances that try to intercept (effectively MITM) everyone’s encrypted connections… As if having everyone’s secrets (including passwords, 2FA tokens, and what not) easily accessible in one place would somehow improve security. I can’t say for sure, of course, but I wouldn’t be surprised. Probably either that or the office router got hacked. :slightly_smiling_face: