SSH: The authenticity of host can't be established
What does this message mean? Is this a potential problem? Is the channel not secure?
Or is this simply a default message that is always displayed when connecting to a new server?
I am used to seeing this message when using SSH in the past: I always entered my login with a password the normal way, and I felt fine about it because I wasn't making use of private/public keys (which is much more secure than a short password). But this time I have set up a public key with ssh for my connection to bitbucket but I still got the message. I am aware that the passphrase prompt at the end is a different, supplementary security measure, for the decryption of the private key.
I'm hoping somebody can give a nice explanation for what is meant by this "authenticity can't be established" message.
The authenticity of host 'bitbucket.org (207.223.240.181)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bitbucket.org,207.223.240.181' (RSA) to the list of
known hosts.
Enter passphrase for key '/c/Users/Steven/.ssh/id_rsa':7 Answers
It's telling you that you've never connected to this server before. If you were expecting that, it's perfectly normal. If you're paranoid, verify the checksum/fingerprint of the key using an alternate channel. (But note that someone who can redirect your ssh connection can also redirect a web browser session.)
If you've connected to this server before from this install of ssh, then either the server has been reconfigured with a new key, or someone is spoofing the server's identity. Due to the seriousness of a man-in-the-middle attack, it's warning you about the possibility.
Either way, you have a secure encrypted channel to somebody. No one without the private key corresponding to fingerprint 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 can decode what you send.
The key you use to authenticate yourself is unrelated... you wouldn't want to send authentication information to a fraudulent server who might steal it, and so you should not expect any changes depending on whether you're going to use a passphrase or private key to login. You simply haven't gotten that far in the process yet.
7Let us say you meet someone to exchange some business secrets. Your advisor tells you that you have never meet that person before, and that it can be an impostor. Furthermore, for the next meetings with him, your advisor is not going to warn you anymore. That is what the message means. The person is the remote server, and your advisor is the ssh client.
I don't think it is paranoid to double-check the identity of the person before sharing secrets with her. For instance you could open a web page with a picture of her and compare it with the face in front of you. Or check her identity card.
For the bitbucket server, you could use a different, more trusted computer and get the picture of its face from it, and then compare it with the one you get in the computer you are using now. Use:
ssh-keyscan -t rsa bitbucket.org | ssh-keygen -lv -f -If the faces match, you can add the key to the file e.g. ~/.ssh/known_hosts (standard location in many Linux distributions) with:
ssh-keyscan -t rsa -H bitbucket.org >> ~/.ssh/known_hostsand the ssh client will not warn you as it already knows her face. It will compare the faces anytime you connect. That is very important. In the case of an impostor (e.g. a man-in-the-middle attack), the ssh client will reject the connection because the face will have changed.
7There is another easy way
Simply touch a config file under /root/.ssh and add the parameter
StrictHostKeyChecking noNext time when you login to a server, they RSA key will be added to known_hosts and won't ask for "yes" for authenticity confirmation
I simply had to create the known_hosts text file in ~/.ssh
sudo vim ~/.ssh/known_hosts
sudo chmod 777 ~/.ssh/known_hostsAfter doing this, it added the host and I never saw the message again.
6This message is just SSH telling you that it's never seen this particular host key before, so it isn't able to truly verify that you're connecting to the host you think you are. When you say "Yes" it puts the ssh key into your known_hosts file, and then on subsequent connections will compare the key it gets from the host to the one in the known_hosts file.
There was a related article on stack overflow showing how to disable this warning, .
1Apart from the answers already given (you never connected to this host before), there is also the distinct possibility that you never connected FROM the current host before (to that host); this is only psychologically different; you think you are connecting from host A (to B), while really you are trying to connect from host X (to B). This can for example happen when you first ssh-ed from A to X and then from the same terminal try to ssh to B thinking you're still on A.
1In my case password less login was not working because of my home directory permissions because I changed the default settings. Finally, here is what worked for me. my home directory permissions are
/home/username
drwxr----x. 18 username groupname 4096 May 11 11:52 username/home/username/.ssh
268823097 drwx------ 2 username groupname 29 May 11 11:53 .ssh/home/username/.ssh/authorized_keys
-rw-r----- 1 username groupname 402 May 11 11:53 authorized_keys
