How to verify host fingerprint in Openssh

ssh ssh-keys openssh

How can I verify fingerpint of newly connecting host when I try to connect from my remote machine to home-machine. At first connection I got this:

[email protected]$ ssh [email protected]:~/
The authenticity of host '[home-machine.org]:222 ([x.xx.xx.xx]:222)' can't be established.
ECDSA key fingerprint is SHA256:6lr/VtTwgrKZVNZQ8y8Le/ilfBYfo0e+9UliSg+AD2k.
Are you sure you want to continue connecting (yes/no)?

How can I check fingerprint of my "home-machine"? I Was trying to list them on my-home machine like this:

[email protected]:~$ for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file};  done
1024 d1:ef:db:b4:24:fc:ca:fe:e1:11:8c:36:0a:77:90:49 /etc/ssh/ssh_host_dsa_key.pub (DSA)
256 d9:25:51:16:ca:76:bd:8f:b8:6a:79:a2:1c:81:4b:4c /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
2048 3a:c6:2d:29:7c:b9:16:e8:ed:1c:a8:26:5d:ab:0d:1e /etc/ssh/ssh_host_rsa_key.pub (RSA)
[email protected]:~$

But those keys seem to be in different format. Is this some kind of MD5 of fingerprint? How can I have those fingerprints in unified format?


Your SSH server is providing SHA256 public key hashes, which is far more secure than MD5 hashes.

You then have to specify to ssh-keygen that you want SHA256 instead of MD5 hashes. Try executing the command on your home-machine (that you try to connect to from the remote machine in your example):

for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done


Commands used

  • Display ascii-art of the public host key stored on the server (to be done on server side, the one you connect TO via ssh):

     ssh-keygen -l -v -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub

    -l: Show fingerprint of specified public key file.

    -v: visual (ascii-art)

    -E md5: the hash algorithme used to calculate the fingerprint ("md5" or "sha256"). ("sha256" is prefered if available). (may not be available in old versions of ssh-keygen)

    -f: file

  • Display ascii-art of remote server public host key (to be done on client side, the one you connect FROM via ssh):

     ssh -o visualhostkey=yes -o FingerprintHash=md5 <host_server_to_connect>

    -o: option

    visualhostkey: visual (ascii-art)

    FingerprintHash: hash algo to use (use the same as the one you obtain from the server: md5 or sha256)

Steps to check the authenticity of a host/server

  • First, 1. is to be done locally on the server (the one you want to connect TO via ssh ): it will give you a first ascii-art. Print it or take a picture.

  • Second, 2. is to be done at the first SSH connexion; it will display a second ascii-art. If the ascii-art is the same, then you can answer yes to the "do I trust?" question (i.e. Are you sure you want to continue connecting (yes/no)).

Example

  • 1. Server side
$ ssh-keygen -l -v -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub
256 2e:a6:b3:27:14:12:0b:79:df:9a:7f:bd:4d:b1:e0:b6   (ECDSA)
+--[ECDSA  256]---+
| .               |
|o o              |
| o + .           |
|  o o .          |
|   . +  S . .    |
|    +  . . . o   |
|   . .o ..o o    |
|    ooo....+     |
|    o= .  E..    |
+-----------------+
  • 2. Client side
$ ssh -o visualhostkey=yes -o FingerprintHash=md5 192.168.12.211
The authenticity of host '192.168.12.211 (192.168.12.211)' can't be established.
ECDSA key fingerprint is MD5:2e:a6:b3:27:14:12:0b:79:df:9a:7f:bd:4d:b1:e0:b6.
+---[ECDSA 256]---+
| .               |
|o o              |
| o + .           |
|  o o .          |
|   . +  S . .    |
|    +  . . . o   |
|   . .o ..o o    |
|    ooo....+     |
|    o= .  E..    |
+------[MD5]------+
Are you sure you want to continue connecting (yes/no)?

Some more explanation

The first command will display the ascii-art corresponding to the fingerprint of the file you give as input (and the fingerprint itself). The file you give as input is the public host key of the server. When a client connect (not only for the first time), the server will sent its public host key. This public host key will be searched in ~/.ssh/known_hosts. If the public key is in the file, then it's ok: the host (server) is known, so we move on to the next step to authentificate the user (user auth is not described in this post). If the public key is not in the file, then the client will compute the fingerprint of this public host key with a hash algorithm (a different hash algo will give a different fingerprint). This fingerprint previously calculated is displayed (along with the ascii-art if corresponding option provided) and you will have to answer yes or no depending on you recognising this fingerprint or no (this fingerprint is the image/hash of the public host key of the server). If you say yes, then the public key of the server (not its fingerprint) will be added to the file ~/.ssh/known_hosts.

We can notice that ~/.ssh/known_hosts is under your home (~) directory, because you trust this host (server), but a different user may not trust the same as you. Also, the host public key of the server is not user-dependent, so it is stored in /etc/ssh/.

The second command will display the fingerprint and the ascii-art of the public key received from the host_server_to_connect (according to the hash algo given in options). It is the same as doing only ssh, but with more visual options, so the connection will continue the same way as a normal ssh connexion.

Related

Where does Postman install to?
Get response body and show HTTP code by curl
How to hide weechat nickname list and channel names?
Windows 10 computer waking up from sleep
Is there a Minecraft direction facing by hotkey solution? [closed]
Is there a penalty for dying In Cross Code?
Why was Father that old, compared to Kellogg?
Is there a way to spawn zombies at certain coordinates?
How Do You Set Leaderboard Player Stats Using The Costume Dummy In RecRoom?
How do I extend a pulsed signal in Rec Room circuits?
Playstation 4 compatibilities with VR headsets
Does bouncing a stolen card return it back to the original owner?