Verifying you're connected to Codeberg using SSH fingerprints

When you connect to Codeberg via SSH, for example to clone or commit, you need to make sure that you're actually connected to Codeberg's servers and not someone else's server attempting to execute a so-called man-in-the-middle attack.

To protect you against this sort of attacks, SSH will ask you the first time you connect to a new server, whether you want to trust that server:

$ git clone
Cloning into 'Documentation' ...
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:T9FYDEHELhVkulEKKwge5aVhVTbqCW0MIRwAfpARs/E.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

When connecting to Codeberg, it is important that you check the displayed fingerprint against one of the following fingerprints published by Codeberg:

SHA256:6QQmYi4ppFS4/+zSZ5S4IU+4sa6rwvQ4PbhCtPEBekQ (RSA)
SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g (ED25519)

These are the SHA256 versions of the fingerprints published in the Imprint, which are to be considered the authoritative fingerprints for Codeberg.

If they match, you're good to go and can safely use Codeberg via SSH.

If they don't, don't continue to connect, because your credentials may be at risk and please give us a heads-up at

Hey there! 👋 Thank you for reading this article!

Is there something missing or do you have an idea on how to improve the documentation? Do you want to write your own article?

You're invited to contribute to the Codeberg Documentation at its source code repository, for example by Adding a pull request or joining in on the discussion in the issue tracker.

For an introduction on contributing to Codeberg Documentation, please have a look at the Contributor FAQ.

© Codeberg Docs Contributors. See LICENSE