Since recently, my cargo update
has started throwing errors about unknown ssh host key for github.com, demanding that the ecdsa key be added to ~/.ssh/known_hosts
:
$ cargo update
Updating crates.io index
error: failed to get `anyhow` as a dependency of package `electrs v0.9.13 (/home/intelfx/devel/ext/electrs)`
Caused by:
failed to load source for dependency `anyhow`
Caused by:
Unable to update registry `crates-io`
Caused by:
failed to fetch `https://github.com/rust-lang/crates.io-index`
Caused by:
error: unknown SSH host key
The SSH host key for `github.com` is not known and cannot be validated.
To resolve this issue, add the host key to the `net.ssh.known-hosts` array in your Cargo configuration (such as /home/intelfx/.cargo/config) or in your OpenSSH known_hosts file at /home/intelfx/.ssh/known_hosts
The key to add is:
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
The ECDSA key fingerprint is: SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM
This fingerprint should be validated with the server administrator that it is correct.
See https://doc.rust-lang.org/stable/cargo/appendix/git-authentication.html#ssh-known-hosts for more information.
However, I have the up-to-date rsa and ed25519 keys in my known_hosts already:
$ grep github.com ~/.ssh/known_hosts
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
Even more so, if I add the ecdsa key to known_hosts manually, it will get automatically deleted by openssh client:
$ grep github.com ~/.ssh/known_hosts | grep ecdsa
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
$ ssh -oUpdateHostKeys=ask git@github.com
The server has updated its host keys.
These changes were verified by the server's existing trusted key.
Deprecating obsolete hostkey: ECDSA SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM
Accept updated hostkeys? (yes/no): yes
PTY allocation request failed on channel 0
Hi intelfx! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$ grep github.com ~/.ssh/known_hosts | grep ecdsa
$
Even weirder, only two of the three machines I use exhibit this behavior. To the best of my ability, I could not find any difference in versions or configuration between these. (On the working machine, known_hosts only has the ed25519 key.)
Any clues? Why is cargo update
demanding to use the ecdsa key?