Fingerprints
(redirected from Openbsd.Sshkeys)
In order to prevent a Man-In-The-Middle attack (MITM)?, SSH requires you to check the fingerprints of the server you connect to. For example, fingerprints for IRCNow servers should be verified before connecting to IRCNow with SSH.
Your SSH Fingerprints
When the ssh server is installed, it stores its keys in /etc/ssh. You can run this script to quickly get the ssh fingerprints for all your keys:
ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ecdsa_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
The first four fingerprints use MD5 hashing, which is used by PuTTY. The last four uses SHA256 hashing, which is used by OpenSSH?.
Publish SSHFP
A convenient place to publish ssh fingerprints is in DNS using SSHFP records:
$ ssh-keygen -r example.com. example.com IN SSHFP 1 1 7251d06cf5cf9312b502388edd93ff924c52a73a example.com IN SSHFP 1 2 a0f433e68e5ba29f23825b21a23660d94a5b8a814cd71827fb75cfb4e84e4c49 example.com IN SSHFP 2 1 22ccda0cafee42f3e2cc53d5f695244677a1a88f example.com IN SSHFP 2 2 88fbc099391d1e37330409978e68bdeebc50fe9bc41c5e2fd4a2d29ecde20409 example.com IN SSHFP 3 1 c9a19b42a7165596f0d0e5bfa947232978901dcb example.com IN SSHFP 3 2 6a9facbb8693644063b1eee91cfce24ada5536ff52df98210fae3d350fffaf34 example.com IN SSHFP 4 1 4dc3d59ef28733c89f83e0e078b10a4a816e2a04 example.com IN SSHFP 4 2 a1f1388dff27d02f942ea5a9e2cb6008ae3e0a61622e5ff2b1ce746b32049152
Replace example.com.
with your domain, making sure to include the final
period for a fully qualified domain name (FQDN). ssh will generate
all of your SSHFP records for you, which can then be added to your
nameserver's zone files.
SSHFP records follow this format:
<Name> [<TTL>] [<Protocol>] SSHFP <Algorithm> <Type> <Fingerprint>
Keyword | Meaning |
---|---|
TTL | Time to live (seconds) |
Protocol | IN for Internet |
Algorithm | 0: reserved; 1: RSA; 2: DSA, 3: ECDSA; 4: Ed25519 |
Type | Hash -- 0: reserved; 1: SHA-1; 2: SHA-256) |
Fingerprint | Hexadecimal of hash |
DNSSEC should be enabled for better security.
SSH clients can then verify if the fingerprints match by enabling the option VerifyHostKeyDNS:
$ ssh -o "VerifyHostKeyDNS yes" example.com
If the fingerprints match, you will see a line similar to the following:
Matching host key fingerprint found in DNS.