Resolving Git Clone SSH Errors: Host Key Verification Failed and Remote Connection Issues

Problem Diagnosis and Background Analysis

When cloning Git repositories using the SSH protocol, developers frequently encounter two critical errors: Host key verification failed and fatal: The remote end hung up unexpectedly. These errors typically stem from interactions between SSH security mechanisms and Git configuration. The former indicates that the SSH client cannot verify the authenticity of the remote server (e.g., GitHub), while the latter signifies abnormal connection termination due to authentication failure. Understanding the root causes requires examining the underlying principles of the SSH protocol.

Core Solution: SSH Key Configuration

The fundamental resolution involves proper configuration of SSH key pairs. First, generate an RSA key pair using the ssh-keygen command. This creates private (~/.ssh/id_rsa) and public (~/.ssh/id_rsa.pub) key files. During generation, the system prompts for save path and passphrase; maintaining default paths is recommended to simplify subsequent setup.

After key generation, the public key must be added to the GitHub account. This is accomplished via GitHub's settings interface: copy the contents of ~/.ssh/id_rsa.pub and paste them into GitHub's SSH key management page. This step establishes trust between the local machine and GitHub servers, forming the basis for SSH authentication.

known_hosts File Management

During initial connection to GitHub servers, the SSH client checks whether the ~/.ssh/known_hosts file contains the server's public key fingerprint. If the file lacks corresponding records, the system displays The authenticity of host 'github.com (IP address)' can't be established. At this point, manual confirmation (entering yes) can be provided, and the system automatically adds the fingerprint to the known_hosts file.

For automated scenarios or pre-configuration needs, the command ssh-keyscan -H github.com >> ~/.ssh/known_hosts directly retrieves and stores GitHub's public key fingerprint. This method avoids interactive prompts and is suitable for scripted deployment environments.

Complete Operational Workflow Demonstration

The following code example illustrates the full process from key generation to successful cloning:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2E... user@host
$ git clone git@github.com:username/repository.git
Cloning into 'repository'...
The authenticity of host 'github.com (IP address)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,IP address' (RSA) to the list of known hosts.
Enter passphrase for key '/home/user/.ssh/id_rsa': 
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 10 (delta 1), reused 10 (delta 1), pack-reused 0
Receiving objects: 100% (10/10), done.

Troubleshooting and Best Practices

If Permission denied (publickey) errors persist after these steps, verify the following: ensure SSH keys are correctly added to the GitHub account; confirm ~/.ssh directory permissions are 700 and key file permissions are 600; validate that SSH URLs (git@github.com:...) are used instead of HTTPS URLs. For continuous integration environments, using passphrase-less keys with ssh-agent management is advised.

Additionally, regularly updating fingerprint records in the known_hosts file prevents connection failures due to GitHub server key rotation. Through systematic SSH configuration management, developers can ensure reliable and secure Git operations.