`cargo update` demands ecdsa key for github.com

Since recently, my cargo update has started throwing errors about unknown ssh host key for github.com, demanding that the ecdsa key be added to ~/.ssh/known_hosts:

$ cargo update        
    Updating crates.io index
error: failed to get `anyhow` as a dependency of package `electrs v0.9.13 (/home/intelfx/devel/ext/electrs)`

Caused by:
  failed to load source for dependency `anyhow`

Caused by:
  Unable to update registry `crates-io`

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  error: unknown SSH host key
  The SSH host key for `github.com` is not known and cannot be validated.

  To resolve this issue, add the host key to the `net.ssh.known-hosts` array in your Cargo configuration (such as /home/intelfx/.cargo/config) or in your OpenSSH known_hosts file at /home/intelfx/.ssh/known_hosts

  The key to add is:

  github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

  The ECDSA key fingerprint is: SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM
  This fingerprint should be validated with the server administrator that it is correct.

  See https://doc.rust-lang.org/stable/cargo/appendix/git-authentication.html#ssh-known-hosts for more information.

However, I have the up-to-date rsa and ed25519 keys in my known_hosts already:

$ grep github.com ~/.ssh/known_hosts
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl

Even more so, if I add the ecdsa key to known_hosts manually, it will get automatically deleted by openssh client:

$ grep github.com ~/.ssh/known_hosts | grep ecdsa
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

$ ssh -oUpdateHostKeys=ask git@github.com
The server has updated its host keys.
These changes were verified by the server's existing trusted key.
Deprecating obsolete hostkey: ECDSA SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM
Accept updated hostkeys? (yes/no): yes
PTY allocation request failed on channel 0
Hi intelfx! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.

$ grep github.com ~/.ssh/known_hosts | grep ecdsa


Even weirder, only two of the three machines I use exhibit this behavior. To the best of my ability, I could not find any difference in versions or configuration between these. (On the working machine, known_hosts only has the ed25519 key.)

Any clues? Why is cargo update demanding to use the ecdsa key?

You need to update Rust to 1.68.2:

because GitHub recently changed its host key:

My rust and cargo are 1.68.2 on all three machines:

$ rustc --version    
rustc 1.68.2 (9eb3afe9e 2023-03-27) (Arch Linux rust 1:1.68.2-1)

$ cargo --version
cargo 1.68.2

Additionally, I don't have the revoked key in my known_hosts anyway.

Does enabling/disabling net.git-fetch-with-cli help?


Yes, it surely does, the system git binary works as intended. I'd really like to understand the root cause though (and, more importantly, why the problem only manifests in two of the three cases).

I'm not sure why Cargo itself behaves so weirdly. It uses libgit2, which uses libssh2, so this could be an issue in those libraries, or the way Cargo integrates with them. It looks like a bug, so probably file an issue in Cargo's GitHub.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.