[SGVLUG] How to get ssh server fingerprint info

Lan Dang l.dang at ymail.com
Fri Jan 17 07:34:25 PST 2014


This came up during a HAK meeting, but it is more of a LUG topic.  When you ssh into a machine for the first time, you are told that the authenticity of the host can't be established and given an RSA key fingerprint to eyeball before you decide whether to continue connecting.

Jess asked what this fingerprint is and how you verify it.

The key fingerprint is a cryptographic hash of the server host's public key.  When you ssh into a server.

You would find the server's public keys in /etc/ssh/*sa-key.pub.  (I think there is usually a DSA key and a RSA key).  You use ssh-keygen -lf <keyfile> to get the fingerprint.  If you trust the server you are currently logged into, this is one way to get the fingerprint.

But how do you verify the fingerprint before you connect?  Get it from your sysadmin, or if it is a public ssh server, there is probably a website you can check.  

http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

In reality, I just trust my company IT when I log into their machines.  I only worry if the fingerprints suddenly change, unless I know that they've been doing an OS or hardware upgrade on that machine (or set of machines).

Lan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140117/2f57906c/attachment.html>


More information about the SGVLUG mailing list