|
1
|
VERIFYING HOST KEYS
|
|
2
|
When connecting to a server for the first time, a fingerprint of the server's public key is presented to the user (unless the
|
|
3
|
option StrictHostKeyChecking has been disabled). Fingerprints can be determined using ssh-keygen(1):
|
|
4
|
|
|
5
|
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
|
|
6
|
|
|
7
|
If the fingerprint is already known, it can be matched and the key can be accepted or rejected. Because of the difficulty of
|
|
8
|
comparing host keys just by looking at hex strings, there is also support to compare host keys visually, using random art. By
|
|
9
|
setting the VisualHostKey option to “yes”, a small ASCII graphic gets displayed on every login to a server, no matter if the
|
|
10
|
session itself is interactive or not. By learning the pattern a known server produces, a user can easily find out that the
|
|
11
|
host key has changed when a completely different pattern is displayed. Because these patterns are not unambiguous however, a
|
|
12
|
pattern that looks similar to the pattern remembered only gives a good probability that the host key is the same, not guaran‐
|
|
13
|
teed proof.
|
|
14
|
|
|
15
|
To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used:
|
|
16
|
|
|
17
|
$ ssh-keygen -lv -f ~/.ssh/known_hosts
|
|
18
|
|
|
19
|
If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS. An addi‐
|
|
20
|
tional resource record (RR), SSHFP, is added to a zonefile and the connecting client is able to match the fingerprint with
|
|
21
|
that of the key presented.
|
|
22
|
|
|
23
|
In this example, we are connecting a client to a server, “host.example.com”. The SSHFP resource records should first be added
|
|
24
|
to the zonefile for host.example.com:
|
|
25
|
|
|
26
|
$ ssh-keygen -r host.example.com.
|
|
27
|
|
|
28
|
The output lines will have to be added to the zonefile. To check that the zone is answering fingerprint queries:
|
|
29
|
|
|
30
|
$ dig -t SSHFP host.example.com
|
|
31
|
|
|
32
|
Finally the client connects:
|
|
33
|
|
|
34
|
$ ssh -o "VerifyHostKeyDNS ask" host.example.com
|
|
35
|
[...]
|
|
36
|
Matching host key fingerprint found in DNS.
|
|
37
|
Are you sure you want to continue connecting (yes/no)?
|
|
38
|
|
|
39
|
See the VerifyHostKeyDNS option in ssh_config(5) for more information.
|
|
40
|
|
|
41
|
|