SSH host key fingerprints — frem.sh
On this page
When your SSH client connects to ssh.frem.sh:443 for the first time, it asks you to confirm the server’s host key fingerprint. (Port 22 is not publicly exposed on the apex domain — ssh.frem.sh:443 is the only published SSH endpoint.) Verify the fingerprint matches one of the values below before accepting. A fingerprint that does not appear here means you are looking at a man-in-the-middle, a stale cache, or a different server — do not trust it.
Current fingerprints #
| Algorithm | SHA-256 fingerprint | Bit length |
|---|---|---|
ssh-rsa | SHA256:LNz5zoh9R2KZAhNGeFgKSeBMPEzbNBdd0wqwrwEkU3E | 4096 |
Currently only ssh-rsa is published. ED25519 + ECDSA host keys are not enabled at the Forgejo layer in this deployment; if your client requires them, force RSA via ssh -o HostKeyAlgorithms=ssh-rsa,rsa-sha2-256,rsa-sha2-512.
What to do at the prompt #
When OpenSSH prints something like:
The authenticity of host 'ssh.frem.sh (...)' can't be established.
RSA key fingerprint is SHA256:LNz5zoh9R2KZAhNGeFgKSeBMPEzbNBdd0wqwrwEkU3E.
Are you sure you want to continue connecting (yes/no/[fingerprint])?Compare the printed fingerprint to the row in the table above. If it matches, type yes; OpenSSH adds the key to your ~/.ssh/known_hosts and never prompts again for that host. If it does not match, type no and reach out via support@frem.sh before trying again.
Avoiding the prompt entirely #
You can pre-trust the host key by appending it to your known_hosts file:
ssh-keyscan -t rsa -p 443 ssh.frem.sh >> ~/.ssh/known_hostsThen verify the SHA-256 with:
ssh-keygen -lf <(ssh-keyscan -t rsa -p 443 ssh.frem.sh 2>/dev/null)The output should match the table above.
When fingerprints rotate #
We rotate Forgejo host keys only when the underlying server cluster is rebuilt. When that happens we publish the new fingerprints here at least 24 hours before the cutover, archive the previous fingerprints for 90 days under Previous fingerprints, and post a notice on status.frem.sh.
If your client warns “REMOTE HOST IDENTIFICATION HAS CHANGED” and the new fingerprint does not appear here, do not clear known_hosts — contact us first.
Previous fingerprints #
None archived (this is the first publication of this page).
Related #
- Connecting to fremforge over SSH — clone instructions, port-443 fallback, troubleshooting
- Status page — current uptime + planned maintenance
- Trust page — sub-processors, audit posture, EU-only data residency
Last updated: 2026-05-06.