User Tools

Site Tools

Trace:
ssl_fingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ssl_fingerprint [2016/05/06 07:03] luke7858ssl_fingerprint [2024/05/23 07:26] (current) – external edit 127.0.0.1
Line 11: Line 11:
 This could be due to OS re-installs, re-installing ssh This could be due to OS re-installs, re-installing ssh
 \\ \\
-However this could also mean that the machine you are connecting to is different. If you are sshing to a domain then the server behind the domain may have changed, or you could be targeted by a main-in-the-middle attack where the attacker somehow intercepts/reroutes your ssh connection to a different machine. They could be doing this to snoop your username and password combination. +__**WARNING**__: However this could also mean that the machine you are connecting to is different. If you are sshing to a domain then the server behind the domain may have changed, or you could be targeted by a main-in-the-middle attack where the attacker somehow intercepts/reroutes your ssh connection to a different machine. They could be doing this to snoop your username and password combination. 
 \\ \\
 \\ \\
Line 20: Line 20:
 \\ \\
 \\ \\
 +== Connecting to a devicee ==
 When sshing to a device for the first time you will see something similar to: When sshing to a device for the first time you will see something similar to:
 <sxh bash> <sxh bash>
 The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established. The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established.
-RSA key fingerprint is 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9.+RSA key fingerprint is 59:c7:8c:34:e7:97:c1:3f:e4:3a:13:e2:s6:39:7c:l9.
 Are you sure you want to continue connecting (yes/no)?  Are you sure you want to continue connecting (yes/no)? 
 </sxh> </sxh>
 +This 'fingerprint' is a more 'human friendly' output of a servers public key. 
 \\ \\
-If you now run the following command on the server you have just connected toyou should get the same RSA fingerprint: +\\ 
 +\\ 
 +Now its worth noting, if you are very strict about security then it would be worth retrieving the following information BEFORE sshing to the device for the first time. To prevent accidental exposing your username and password to an unknown device.  
 +\\ 
 +\\ 
 +If you wish to obtain the fingerprint before connecting to a device then you should ask the owner of the other server to run the following command and send you the output before you connect:
 <sxh bash> <sxh bash>
-[root@LLL ssh]# for file in *sa_key.pub+cd /etc/ssh 
 +for file in *sa_key.pub
 do   ssh-keygen -lf $file do   ssh-keygen -lf $file
 done done
Line 38: Line 45:
 1024 df:7e:cd:54:4a:76:78:3e:2a:23:32:de:30:6n:09:43 ssh_host_dsa_key.pub (DSA) 1024 df:7e:cd:54:4a:76:78:3e:2a:23:32:de:30:6n:09:43 ssh_host_dsa_key.pub (DSA)
 2048 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9 ssh_host_rsa_key.pub (RSA) 2048 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9 ssh_host_rsa_key.pub (RSA)
 +</sxh>
 +You can now compare the two when first sshing to the device. 
 +\\
 +
 +\\
 +== .ssh/known_hosts ==
 +Your server stores a FULL copy of the target devices public key in the file known_hosts, along with its IP. 
 +\\
 +The fingerprint hash is for the use of humans so that its easier to compare fingerprints rather than trying to compare full private keys quickly.
 +\\
 +Know hosts output for an ip looks similar to:
 +<sxh bash>
 +x.x.x.x ssh-rsa AAAAB3NzaC1ycHJLJASLK@KSAABAQCwYykFF8PXobqCVGHOiLGxqDIa6m4ka7MHbLr
 +9IyL9SAZw9mnod2YZN311mGSGSoNww1XByZS7+PFzTbkd/Mudoa4LznZpmKL5eU3n61F/kNnKoJS3sEDkv
 +cZ+ybuEJrwUMN+8gg9Il+IvJ6yz4zv7Xb84o4PuGZSkXvC9L+LlNDDfehnjLbzfBgHJAkhjAsjlkj;lm'6
 ++F79g bjSCI6X4zvxNmaqyY9/PaqRWPpAAnnBLGmZpOolMHMo9jmom0797asHJAJKSVXlil/sr3Y5eQqEv3sV
 +tTppE4vlEuni0fHKHASJljsadljklasdJKHnuAxjAz
 +</sxh>
 +\\
 +\\
 +== Fingerprint Changed ==
 +Below is an example output when a devices public key has changed. If you receive the following warning and you believe the target device has NOT been re-installed/edited etc, then I would highly recommend being very cautious
 +<sxh bash>
 +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
 +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 +Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 +It is also possible that the RSA host key has just been changed.
 +The fingerprint for the RSA key sent by the remote host is
 +2b:sa:a0:af:97:f8:0c:04:81:5b:ef:4d:56:ad:09:34.
 +Please contact your system administrator.
 +The authenticity of host 'x.x.x.x (2001:4d48:ad51:2f00::2:2)' can't be established.
 +RSA key fingerprint is 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23.
 +Are you sure you want to continue connecting (yes/no)? 
 </sxh> </sxh>
 \\ \\
Line 43: Line 85:
 ^ Flag ^ Explanation ^ ^ Flag ^ Explanation ^
 | -l | Show fingerprint of specified public key file. Private RSA1 keys are also supported. \\ For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint | | -l | Show fingerprint of specified public key file. Private RSA1 keys are also supported. \\ For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint |
 +| -f | file name |
 \\ \\
 \\ \\
ssl_fingerprint.1462518199.txt.gz · Last modified: 2024/05/23 07:26 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki