http://blog.binarymist.net/2013/02/16/establishing-your-ssh-servers-key-fingerprint/
To save you going there, here is the info;
Establishing your SSH Server’s Key Fingerprint
When you connect to a remote host via SSH that you haven’t established a trust relationship with before,
you’re going to be told that the authenticity of the host your attempting to connect to can’t be established.
me@mybox ~ $ ssh me@10.1.1.40
The authenticity of host '10.1.1.40 (10.1.1.40)' can't be established. |
RSA key fingerprint is 23:d9:43:34:9c:b3:23:da:94:cb:39:f8:6a:95:c6:bc. |
Are you sure you want to continue connecting (yes/no)? y |
Please type 'yes' or 'no':
Do you type yes to continue without actually
knowing that it is the host you think it is? Well, if you do, you
should be more careful. The fingerprint that’s being put in front of you
could be a Man In The Middle (MITM). You can query the target (from
“it’s” shell of course) for the fingerprint of it’s key easily. On
Debian you’ll find the keys in /etc/ssh/
On
ls /etc/ssh/
you should get a listing that reveals the private and public keys. Run
the following command on the appropriate key to reveal it’s fingerprint.
For example if SSH is using rsa:
ssh-keygen -lf ssh_host_rsa_key.pub
For example if SSH is using dsa:
ssh-keygen -lf ssh_host_dsa_key.pub |
If you try the command on either the private
or publick key you’ll be given the public key’s fingerprint, which is
exactly what you need for verifying the authenticity from the client
side.
Do not connect remotely and then run the
above command, as the machine you’re connected to is still untrusted.
The command could be dishing you up any string replacement if it’s an
attackers machine. You need to run the command on the physical box or
get someone you trust (your network admin) to do this and hand you the
fingerprint.
Now when you try to establish your SSH
connection for the first time, you can check that the remote host is
actually the host you think it is by comparing the output of one of the
previous commands with what SSH on your client is telling you the remote
hosts fingerprint is. If it’s different it’s time to start tracking
down the origin of the host masquerading as the address your trying to
hook up with.
Now, when you get the following message when
attempting to SSH to your server, due to something or somebody changing
the hosts key fingerprint:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ |
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! |
Someone could be eavesdropping on you right now (man-in-the-middle attack)! |
It is also possible that a host key has just been changed. |
The fingerprint for the RSA key sent by the remote host is |
23:d9:43:34:9c:b3:23:da:94:cb:39:f8:6a:95:c6:bc. |
Please contact your system administrator. |
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message. |
Offending RSA key in /home/me/.ssh/known_hosts:6 |
remove with: ssh-keygen -f "/home/me/.ssh/known_hosts" -R 10.1.1.40 |
RSA host key for 10.1.1.40 has changed and you have requested strict checking. |
Host key verification failed. | | |
The same applies. Check that the fingerprint
is indeed the intended target hosts key fingerprint. If it is, run the
specified command.
No comments:
Post a Comment