Check the fingerprint for the ECDSA key sent by the remote host [closed]

ssh fingerprint

I have got the well-known warning message when trying to ssh into a server:

$ ssh whateverhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxx.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:10
ECDSA host key for ipofmyhost has changed and you have requested strict checking.
Host key verification failed.

And I know why because I changed the ip of such server. But if it weren't so, how could I check the fingerprint for the ECDSA key sent by the remote host?

I have tried to do so by:

echo -n ipofthehost | sha256sum

But I don't get the same fingerprint. I also tried "hostname,ip" kind of like in AWS, but I didn't get any match.

If I delete the entrance from my known_hosts file and I try to ssh again, it succeeds and tells the following:

ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxx.
Are you sure you want to continue connecting (yes/no)?

So to what is it applying the sha256sum to get the fingerprint and how I could check it?


Solution 1:

A public key fingerprint isn't the simple hash of an IP address string.

To retrieve a remote host public key you can use ssh-keyscan <IP address>, and then you can use the usual tools to extract its fingerprint (ssh-keygen -lf <public_key_file>).

Finally you can compare the current fingerprint in your known_hosts file with ssh-keygen -l -F <domain_or_IP_address>.

Solution 2:

A bit more in detail: Because the warning message refers to the fingerprint for the ECDSA key sent by the remote host, we gather the info about the public (ECDSA) key of the host:

ssh-keyscan -t ecdsa <IP_address_or_hostname> ECDSA_file_to_compare

Then we can find out where in our known_hosts file that the public (ECDSA) key is:

ssh-keygen -l -F ipofhost

If we want to compare the fingerprints we have to put in the contents of our known_hosts file (just the entry related to this host). We can call it ecdsa_file_from_known_hosts and then compare them as follows:

ssh-keygen -lf ecdsa_file_to_compare
ssh-keygen -lf ecdsa_file_from_known_hosts

And check if they show the same hash.

Of course they don't match, and that is why I got the warning message (ssh checks this matching internally). If we are sure about the IP address change (so we are not suffering a man-in-the-middle attack) we can just delete the entry of that host in our known_hosts file and the next time we ssh into it, a new fresh entry for it will be added to such a file.

Related

How do DNS clients choose an IP address when they get multiple answers?
Any disadvantage to short DNS TTL? [closed]
Constantly have to reload PHP-FPM
Checkpoint VPN Linux Client
Web gardens... are they good or bad or what?
Could not find class, and yet it is there
Is MariaDB a secure replacement for MySQL?
What are the performance implications for millions of files in a modern file system?
How do I make tcpdump not print the tcp headers?
What does "Error: Cycle". means in Terraform?
How to tell if I'm in MacVim in .vimrc
Network cable color conventions? [closed]