GitHub's guide Generating a new SSH key and adding it to the ssh-agent recommends using ed25519 when configuring SSH keys for connecting to GitHub, but if you SSH to github.com, you see the host key is of ECDSA type (see below). Why don't they use the same type of encryption for server cert as they recommend for client cert?
user@computer:/$ ssh -T [email protected]
The authenticity of host 'github.com (140.82.114.3)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Best Answer
First, neither ECDSA nor Ed25519 (EdDSA) is an encryption scheme or algorithm; they are both signature algorithms (or schemes) used in SSH as host authentication (aka host-key) algorithms or methods, as well as 'user' authentication.
github.com
has all three currently-accepted types of host key, presumably for maximum interoperability (especially since it costs them nothing to do so):Which one is used for a given connection depends on the capabilities and preferences of the client, namely your
ssh
program. If you are using OpenSSH (which is not the only implementation of SSH and not the only program namedssh
, though I'd expect the most common among githubians who are almost by definition FOSSites) versions 6.5 to 8.1 prefer ecdsa then ed25519 (unless using an OpenSSL version that doesn't support ECC, or not using OpenSSL at all); only 8.2 up prefer ed25519 first. You can override this with e.g.ssh -oHostKeyAlgorithms=ssh-ed25519 ...
or an equivalent config setting, see the man page.