What is randomart produced by ssh-keygen?

When you generate a key, you get "randomart" from newer versions of OpenSSH. I am unable to find an explanation of why, and what I'm supposed to use it for.

Generating public/private rsa key pair.
The key fingerprint is:
05:1e:1e:c1:ac:b9:d1:1c:6a:60:ce:0f:77:6c:78:47 you@i
The key's randomart image is:
+--[ RSA 2048]----+
|       o=.       |
|    o  o++E      |
|   + . Ooo.      |
|    + O B..      |
|     = *S.       |
|      o          |
|                 |
|                 |
|                 |
+-----------------+

Generating public/private dsa key pair.
The key fingerprint is:
b6:dd:b7:1f:bc:25:31:d3:12:f4:92:1c:0b:93:5f:4b you@i
The key's randomart image is:
+--[ DSA 1024]----+
|            o.o  |
|            .= E.|
|             .B.o|
|              .= |
|        S     = .|
|       . o .  .= |
|        . . . oo.|
|             . o+|
|              .o.|
+-----------------+

Solution 1:

The randomart is meant to be an easier way for humans to validate keys.

Validation is normally done by a comparison of meaningless strings (i.e. the hexadecimal representation of the key fingerprint), which humans are pretty slow and inaccurate at comparing. Randomart replaces this with structured images that are faster and easier to compare.

This paper "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" explains some techniques and advantages.

Solution 2:

Add

-o VisualHostKey=yes 

to your command line, or put

VisualHostKey=yes 

in your ~/.ssh/config.

You'll see the randomart of the box you are logging onto. If you log on one day and the random art is different (your brain should go Hey! I don't recognise that!), then maybe someone is hacking, or something.

The idea is that you don't consciously need to do it. One of the keys for one of our machines kinda looks like a butterfly. Another one kinda looks like a dick (yes, our brains are primitive). If you log on every day, you get accustomed to the images without even trying.

Solution 3:

Official announcement: OpenSSH 5.1 released

Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1). Visual fingerprinnt display is controlled by a new ssh_config(5) option "VisualHostKey". The intent is to render SSH host keys in a visual form that is amenable to easy recall and rejection of changed host keys. This technique inspired by the graphical hash visualisation schemes known as "random art[*]", and by Dan Kaminsky's musings at 23C3 in Berlin.

Fingerprint visualisation in is currently disabled by default, as the algorithm used to generate the random art is still subject to change.

Solution 4:

The Randomart displayed after the ssh-keygen generation is a graphic representation of the key you have just generated. Then:

  • the Randomart is not really useful for the user who generated the ssh-key

  • the Randomart can be very useful for a user using a connection via SSH to connect often to the same server: if he added the "-o VisualHostKey=yes " option to his SSH command:

    ssh [email protected] -o VisualHostKey=yes

the Randomart corresponding to the public key of the server will be displayed.

To see an example, you can try:

ssh [email protected] -o VisualHostKey=yes

In the case where the user often connects to the same server, then he can quickly and easily check if he recognizes the Randomart corresponding to the public-key of this server or not. Which is easier and faster than checking the string of characters of the public-key itself !