SSH: The authenticity of host can’t be established

encryptionSecurityssh

What does this message mean? Is this a potential problem? Is the channel not secure?

Or is this simply a default message that is always displayed when connecting to a new server?

I am used to seeing this message when using SSH in the past: I always entered my login with a password the normal way, and I felt fine about it because I wasn't making use of private/public keys (which is much more secure than a short password). But this time I have set up a public key with ssh for my connection to bitbucket but I still got the message. I am aware that the passphrase prompt at the end is a different, supplementary security measure, for the decryption of the private key.

I'm hoping somebody can give a nice explanation for what is meant by this "authenticity can't be established" message.

The authenticity of host 'bitbucket.org (207.223.240.181)' can't be established.

RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bitbucket.org,207.223.240.181' (RSA) to the list of
known hosts.
Enter passphrase for key '/c/Users/Steven/.ssh/id_rsa':

Best Answer

It's telling you that you've never connected to this server before. If you were expecting that, it's perfectly normal. If you're paranoid, verify the checksum/fingerprint of the key using an alternate channel. (But note that someone who can redirect your ssh connection can also redirect a web browser session.)

If you've connected to this server before from this install of ssh, then either the server has been reconfigured with a new key, or someone is spoofing the server's identity. Due to the seriousness of a man-in-the-middle attack, it's warning you about the possibility.

Either way, you have a secure encrypted channel to somebody. No one without the private key corresponding to fingerprint 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 can decode what you send.

The key you use to authenticate yourself is unrelated... you wouldn't want to send authentication information to a fraudulent server who might steal it, and so you should not expect any changes depending on whether you're going to use a passphrase or private key to login. You simply haven't gotten that far in the process yet.