[robbat2]

Start protecting yourself from a potential MITM better, mark the key as revoked. Hopefully distributions & OpenSSH upstream can start shipping this by default.

(sorry, the comments are mangling this, clean version at https://gist.github.com/robbat2/b456f09b7799f4dafe24115095b8...)

``` # You might need to insert this in a slightly different place cat >>/etc/ssh/ssh_config <<EOF Host * RevokedHostKeys /etc/ssh/ssh_revoked_hosts EOF

cat >>/etc/ssh/ssh_revoked_hosts <<EOF # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-k... ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== EOF ```

[ollien]

Just in case anyone is paranoid that this comment has the right key, you can generate a fingerprint with

    $ ssh-keygen -lf github.old.pub
    2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 no comment (RSA)

and you'll notice that fingerprint is on this archived page

https://web.archive.org/web/20230320230907/https://docs.gith...

(please check my work on your own machines and don't take my attestation on faith!)

[e12e]

Thank you - TIL about ssh key revocation (I was aware of them, but haven't really used them).

I expanded on your gist:

https://gist.github.com/e12e/0c1868479c0b8d0a52914d44be66d76...

[LeonM]

You can do verbatim formatting on HN by placing 4 spaces. See https://news.ycombinator.com/formatdoc

Thanks for the gist though, seems helpful!

[bravetraveler]

Anyone finding the same thing I am?

RevokedHostKeys doesn't accept ~ for your home directory... while things like ControlPath will.

I'd rather confine this to my account, but I either have to use a relative path that doesn't always work... or a fully qualified path that includes my username (and may change)