|
VERIFYING HOST KEYS
|
|
When connecting to a server for the first time, a fingerprint of the server's public key is presented to the user (unless the
|
|
option StrictHostKeyChecking has been disabled). Fingerprints can be determined using ssh-keygen(1):
|
|
|
|
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
|
|
|
|
If the fingerprint is already known, it can be matched and the key can be accepted or rejected. Because of the difficulty of
|
|
comparing host keys just by looking at hex strings, there is also support to compare host keys visually, using random art. By
|
|
setting the VisualHostKey option to “yes”, a small ASCII graphic gets displayed on every login to a server, no matter if the
|
|
session itself is interactive or not. By learning the pattern a known server produces, a user can easily find out that the
|
|
host key has changed when a completely different pattern is displayed. Because these patterns are not unambiguous however, a
|
|
pattern that looks similar to the pattern remembered only gives a good probability that the host key is the same, not guaran‐
|
|
teed proof.
|
|
|
|
To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used:
|
|
|
|
$ ssh-keygen -lv -f ~/.ssh/known_hosts
|
|
|
|
If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS. An addi‐
|
|
tional resource record (RR), SSHFP, is added to a zonefile and the connecting client is able to match the fingerprint with
|
|
that of the key presented.
|
|
|
|
In this example, we are connecting a client to a server, “host.example.com”. The SSHFP resource records should first be added
|
|
to the zonefile for host.example.com:
|
|
|
|
$ ssh-keygen -r host.example.com.
|
|
|
|
The output lines will have to be added to the zonefile. To check that the zone is answering fingerprint queries:
|
|
|
|
$ dig -t SSHFP host.example.com
|
|
|
|
Finally the client connects:
|
|
|
|
$ ssh -o "VerifyHostKeyDNS ask" host.example.com
|
|
[...]
|
|
Matching host key fingerprint found in DNS.
|
|
Are you sure you want to continue connecting (yes/no)?
|
|
|
|
See the VerifyHostKeyDNS option in ssh_config(5) for more information.
|
|
|
|
|