Where is the SSH Server Fingerprint generated/stored?
I installed openssh-server and created a key with ssh-keygen
. I then attempted to test it using local port forwarding by doing ssh -L 8080:www.nytimes.com:80 127.0.0.1
. However, the key fingerprint that this command provides is not the key fingerprint I get when I do ssh-keygen -l
. Even if I delete my .ssh directory, I still get the same fingerprint, which is not the one I created with ssh-keygen
. Is there another key on my system? Where is this key? How can I select this key for use by openssh-server?
Solution 1:
When you make a SSH session, two different key pairs (with a fingerprint for each pair) are involved. One is the user's key which is stored in ~/.ssh
. The user's SSH key identity is sometimes used as credentials to login to another computer (if you have set up key based login).
The other is the SSH server's key. This is the key you see the fingerprint for when you connect to a different server for the first time. This key's identity is used to make sure you are logging in to the SSH server you intend to. This is important if you are using passwords because you wouldn't want to accidentally try to login to an attackers machine: the attacker would get your password when you typed it in. Then the attacker could login to the machine you thought you were logging in to! (this is known as a "man in the middle attack") The keys a SSH server uses to identify itself when you login to it are located in /etc/ssh/
and usually named something like ssh_host_rsa_key
.
You can actually change where the SSH server looks for the key in the /etc/ssh/sshd_config
file with the HostKey /path/to/host/key
setting.
By default, ssh-keygen
will create a key for the current user, which, by default, will be stored in ~/.ssh
. The format of a user key and a server key is the same; the difference is where they are placed and whether /etc/ssh/sshd_config
has a HostKey
directive pointing to them. When you install the openssh-server package, it automatically generates keys for the server to use. That is where the keys with the unknown fingerprint came from. If you want to see the fingerprint of the SSH server's (RSA*) key, you could run ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
.
*There are different encryption algorithms. Each one uses a different key. Common ones are DSA (weak), RSA (old default), and ECDSA (new default).
Solution 2:
SSH host keys are stored in /etc/ssh/
, which you generally do not need to choose. These keys were generated when the openssh-server package was installed.
You can list the fingerprint of the keys by ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
though you will need to repeat this for each public key.
Solution 3:
ssh-keygen
does not generate the SSH fingerprint at your server. That is generated by the SSH server. ssh-keygen
creates a public/private key pair for your system that you can later use to access your SSH server without having to transmit a plain-text passcode to the server.
The fingerprint of your server will obviously not display as the fingerprint of the public/private key pair you generated, as they are separate from each other.