Dear administrators,
When cloning repositories from git@git.gitlab.gnome.org, a warning is printed that the authenticity of the host cannot be established (as is usual for the first connection), and a manual fingerprint check must be performed to establish authenticity to prevent a man-in-the-middle attack. The returned ECDSA key fingerprint is SHA256:TiA9po6nO6jFso7wQNy4xLlth10lIfjv1dxuDabVIqw
.
However, the fingerprint displayed on https://gitlab.gnome.org/help/instance_configuration
reads SHA256:c3uvVfoSe4/y5pbBfU7ntdUNliGTa2mDmqjcu2C+8ms
, which clearly doesn’t match.
This means that there is either a misconfiguration/out of date webpage, or a MITM attack, and as such this mismatch may pose a security threat. Could you verify if this issue occurs on your machines as well?
Example log with ssh
on gitlab.gnome.org
:
$ ssh ssh.gitlab.gnome.org
The authenticity of host 'ssh.gitlab.gnome.org (8.43.85.27)' can't be established.
ECDSA key fingerprint is SHA256:TiA9po6nO6jFso7wQNy4xLlth10lIfjv1dxuDabVIqw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? _
https://gitlab.gnome.org/help/instance_configuration: SHA256:c3uvVfoSe4/y5pbBfU7ntdUNliGTa2mDmqjcu2C+8ms
< Does not match.
Example with gitlab.com
, which does not have this issue:
$ ssh ssh gitlab.com
The authenticity of host 'gitlab.com (172.65.251.78)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? _
https://gitlab.com/help/instance_configuration: SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
< Matches.
Thanks,
Anashe