• Created by Anonymous, last updated on Feb 05, 2014 2 minute read

Verifying ssh key fingerprint

Go here young (wo)man.

Summary

Some Hints

Authenticate the host you are connecting to

If you are going to login to a host using a password, it is important to determine that you are actually connected to the authentic host. An SSH client uses the key presented by the server to to authenticate it. If the key the server presents is unknown or different than the one the client has stored, the client will print a message and ask you if you really want to connect.

It is not completely unreasonable to accept an unknown key if this is the first time you have connected to a server from a particular client. The client will store the key in your personal known hosts file (~/.ssh/known_hosts on Unix systems). You can also copy the key from a known hosts file on a client you have previously used to connect to the server. If a server key changes you should figure out if the change is legitimate or not.

SSH will display a visualization of a host key which some people may find useful for validating them:

$ ssh -o Visualhostkey=yes locust.cns.vt.edu
Host key fingerprint is be:73:97:4c:4e:c4:15:6f:af:0e:89:91:2a:e4:0b:fd
+--[ RSA 1024]----+
|              .. |
|              .. |
|           . .  o|
|           .o  ..|
|      . S o.    .|
|     + . . oo. . |
|    . + o .=o..  |
|     . +... =o   |
|      . Eo .  .  |
+-----------------+

A better solution is to have a system-wide file of known ssh keys.

Authenticating clients with keys

Instead of using a password for login, you can also use a key stored on your client. In general, keys will have much better cryptographic strength than any password you can remember. Except in cases of automated processes, the SSH client key should be protected with a strong passphrase.

Using the agent

If you are authenticating with a key, you can use the SSH agent to store that key for you. You only need to enter the passphrase when the key is loaded into the agent. Please use a reasonable timeout when you load a key into the agent so it does not remain available too long when you are not using it. A timeout of 20 minutes will enable you to login to as many hosts as you like and only have to type the passphrase every 20 minutes.

While keys are available in the agent, an attacker with sufficient access to the system you are running the client on could authenticate to a remote host as you. If the key is not stored on a smart card, there is also some possibility that the key could be recovered from memory by an attacker.