Ssh-fingerprints

From Delft Solutions
Revision as of 07:34, 12 August 2024 by Dortund (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

If the host you're ssh'ing into isn't know yet, you'll be asked to confirm the fingerprint of the target host. To do so, do the following:

  1. Find someone that has working SSH to the host or find other means of access to the host that doesn't require SSH.
  2. On the target host, run the command 'ssh-keyscan <host> | ssh-keygen -lf -'. Replace '<host>' with the target's hostname.
  3. Verifiy if the signature matches with the one shown by the initial ssh attempt. Make sure to check/match for the same algorithm.


Example:

On the initial host:

root@screwdriver:~# ssh scorpion

The authenticity of host 'scorpion (<no hostip for proxy command>)' can't be established.

ED25519 key fingerprint is SHA256:sjf89wi3rnwlkefn(IA(S*HANFlhfalknfsdfsadjfh.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])?


On the target host:

root@scorpion:~# ssh-keyscan scorpion | ssh-keygen -lf -

\# scorpion:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3

256 SHA256:lklsjdfsd8fd8*SDHANNAoaiodfnslakkfndsldkfn scorpion (ECDSA)

3072 SHA256:LKSdfjsi878sijn3lAUHUI&*GNSLFSadhofsnlka scorpion (RSA)

256 SHA256:sjf89wi3rnwlkefn(IA(S*HANFlhfalknfsdfsadjfh scorpion (ED25519)


Here, the algorithm is defined by the inital host as 'ED25519', and on the target host you match the fingerprint to the fingerprint on the line with the same algorithm name in braces, so '(ED25519)' in this case.

The fingerprints match, so you can accept the fingerprint on the initial host. If they do not match, do NOT accept, as your connection could be intercepted.

Retrieved from "https://docs.delftsolutions.nl/index.php?title=Ssh-fingerprints&oldid=422"