When cloning repositories from firstname.lastname@example.org, a warning is printed that the authenticity of the host cannot be established (as is usual for the first connection), and a manual fingerprint check must be performed to establish authenticity to prevent a man-in-the-middle attack. The returned ECDSA key fingerprint is
However, the fingerprint displayed on
SHA256:c3uvVfoSe4/y5pbBfU7ntdUNliGTa2mDmqjcu2C+8ms, which clearly doesn’t match.
This means that there is either a misconfiguration/out of date webpage, or a MITM attack, and as such this mismatch may pose a security threat. Could you verify if this issue occurs on your machines as well?
Example log with
$ ssh ssh.gitlab.gnome.org The authenticity of host 'ssh.gitlab.gnome.org (18.104.22.168)' can't be established. ECDSA key fingerprint is SHA256:TiA9po6nO6jFso7wQNy4xLlth10lIfjv1dxuDabVIqw. Are you sure you want to continue connecting (yes/no/[fingerprint])? _
SHA256:c3uvVfoSe4/y5pbBfU7ntdUNliGTa2mDmqjcu2C+8ms < Does not match.
gitlab.com, which does not have this issue:
$ ssh ssh gitlab.com The authenticity of host 'gitlab.com (22.214.171.124)' can't be established. ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw. Are you sure you want to continue connecting (yes/no/[fingerprint])? _
SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw < Matches.