LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How do I find out the RSA fingerprint of the server I want to connect to (https://www.linuxquestions.org/questions/linux-security-4/how-do-i-find-out-the-rsa-fingerprint-of-the-server-i-want-to-connect-to-590322/)

dwwiebe 10-08-2007 01:32 PM
How do I find out the RSA fingerprint of the server I want to connect to
 
I know that when connecting to a server using SSH for the first time you get a message like:

The authenticity of host 'nnn.nnn.nnn.nnn' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? no

And that once it is accepted, it is stored in ~/.ssh/known_hosts for comparison on the next connection attempts - This previous knowledge helps to avoid the "Man-in-the-middle" attack, from that point on.

What I would like to know is, how can I be sure in the first time I connect, that I am connecting to the right server, and not one "Man-in-the-middle" server?
I would like to know if there is a way to obtain the fingerprint on the server so that I can really be sure.

Thanks.

win32sux 10-08-2007 02:26 PM
Quote:
Originally Posted by dwwiebe (Post 2917437)
What I would like to know is, how can I be sure in the first time I connect, that I am connecting to the right server, and not one "Man-in-the-middle" server?
I would like to know if there is a way to obtain the fingerprint on the server so that I can really be sure.
Maybe ask the server admin to pre-share the key via an out-of-band method such as a CD?

bsdunix 10-08-2007 02:36 PM
Quote:
I would like to know if there is a way to obtain the fingerprint on the server so that I can really be sure.
It's called prior knowledge. Get with the SysAdmin of the remote host to obtain the fingerprint prior to connection, so that way you can compare what fingerprint is presented at connection time. Would you trust a fingerprint that's posted publicly on a web page that you've never seen?

dwwiebe 10-08-2007 02:48 PM
Quote:
Originally Posted by bsdunix (Post 2917497)
It's called prior knowledge. Get with the SysAdmin of the remote host to obtain the fingerprint prior to connection, so that way you can compare what fingerprint is presented at connection time. Would you trust a fingerprint that's posted publicly on a web page that you've never seen?
Okay, Where does the admin of the server get this information from? What command must he/she run?

Thanks

win32sux 10-08-2007 02:53 PM
Quote:
Originally Posted by dwwiebe (Post 2917509)
Okay, Where does the admin of the server get this information from? What command must he/she run?
If he's using RSA then it'll usually be the /etc/ssh/ssh_host_rsa_key.pub file.

So he basically just needs to give you a copy of that.

dwwiebe 10-08-2007 03:16 PM
Quote:
Originally Posted by win32sux (Post 2917513)
If he's using RSA then it'll usually be the /etc/ssh/ssh_host_rsa_key.pub file.

So he basically just needs to give you a copy of that.
Okay, I just check it and if I understood, I would append ssh_host_rsa_key.pub that I got from the admin of the remote server to my local copy of known_hosts. This way the warning:

The authenticity of host 'nnn.nnn.nnn.nnn' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? no

would never appear. That's great! This way I can be sure to what I am connecting from the beginning.

Only for the record: ssh_host_rsa_key.pub is NOT the fingerprint of the RSA Key - it is the RSA Key itself! And now I got curious: is there any tool that generates the fingerprint based on a given key?

win32sux 10-08-2007 03:19 PM
Quote:
Originally Posted by dwwiebe (Post 2917543)
is there any tool that generates the fingerprint based on a given key?
Of course. To get the print do a:
Code:
ssh-keygen -l -f server-public-key.txt

dwwiebe 10-08-2007 03:32 PM
Thanks win32sux

win32sux 10-08-2007 03:34 PM
Quote:
Originally Posted by dwwiebe (Post 2917566)
Thanks win32sux
You're very welcome! BTW, welcome to LQ!!! :)

jtonti 02-04-2019 05:54 PM
Force reported RSA fingerprint to be in MD5 (or other) format
 
Thanks win32sux :).

To take it one step further...

Adding "-E md5" to the ssh-keygen command will force it to output the RSA fingerprint in the hexadecimal colon-delimited format that ssh may display (as is shown in the original question). (Do man ssh-keygen to see other formats available.)

Putting the command in a do loop will display all the public keys.

Code:
cd /etc/ssh; for file in *sa_key.pub; do ssh-keygen -E md5 -lf $file; done
(I put this command in a shell script for easy accessibility.)


All times are GMT -5. The time now is 10:24 AM.