Differences

This shows you the differences between two versions of the page.

--- ssl_fingerprint [2016/05/06 07:22] – luke7858
+++ ssl_fingerprint [2024/05/23 07:26] (current) – external edit 127.0.0.1
@@ Line 11: / Line 11: @@
 This could be due to OS re-installs, re-installing ssh
 \\
-However this could also mean that the machine you are connecting to is different. If you are sshing to a domain then the server behind the domain may have changed, or you could be targeted by a main-in-the-middle attack where the attacker somehow intercepts/reroutes your ssh connection to a different machine. They could be doing this to snoop your username and password combination.
+__**WARNING**__: However this could also mean that the machine you are connecting to is different. If you are sshing to a domain then the server behind the domain may have changed, or you could be targeted by a main-in-the-middle attack where the attacker somehow intercepts/reroutes your ssh connection to a different machine. They could be doing this to snoop your username and password combination.
 \\
 \\
@@ Line 20: / Line 20: @@
 \\
 \\
+== Connecting to a devicee ==
 When sshing to a device for the first time you will see something similar to:
 <sxh bash>
 The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established.
-RSA key fingerprint is 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9.
+RSA key fingerprint is 59:c7:8c:34:e7:97:c1:3f:e4:3a:13:e2:s6:39:7c:l9.
 Are you sure you want to continue connecting (yes/no)?
 </sxh>
+This 'fingerprint' is a more 'human friendly' output of a servers public key.
 \\
-If you now run the following command on the server you have just connected to, you should get the same RSA fingerprint:
+\\
+\\
+Now its worth noting, if you are very strict about security then it would be worth retrieving the following information BEFORE sshing to the device for the first time. To prevent accidental exposing your username and password to an unknown device.
+\\
+\\
+If you wish to obtain the fingerprint before connecting to a device then you should ask the owner of the other server to run the following command and send you the output before you connect:
 <sxh bash>
 cd /etc/ssh
@@ Line 39: / Line 45: @@
 df:7e:cd:54:4a:76:78:3e:2a:23:32:de:30:6n:09:43 ssh_host_dsa_key.pub (DSA)
 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9 ssh_host_rsa_key.pub (RSA)
+</sxh>
+You can now compare the two when first sshing to the device.
+\\
+\\
+== .ssh/known_hosts ==
+Your server stores a FULL copy of the target devices public key in the file known_hosts, along with its IP.
+\\
+The fingerprint hash is for the use of humans so that its easier to compare fingerprints rather than trying to compare full private keys quickly.
+\\
+Know hosts output for an ip looks similar to:
+<sxh bash>
+x.x.x.x ssh-rsa AAAAB3NzaC1ycHJLJASLK@KSAABAQCwYykFF8PXobqCVGHOiLGxqDIa6m4ka7MHbLr
+IyL9SAZw9mnod2YZN311mGSGSoNww1XByZS7+PFzTbkd/Mudoa4LznZpmKL5eU3n61F/kNnKoJS3sEDkv
+cZ+ybuEJrwUMN+8gg9Il+IvJ6yz4zv7Xb84o4PuGZSkXvC9L+LlNDDfehnjLbzfBgHJAkhjAsjlkj;lm'6
++F79g bjSCI6X4zvxNmaqyY9/PaqRWPpAAnnBLGmZpOolMHMo9jmom0797asHJAJKSVXlil/sr3Y5eQqEv3sV
+tTppE4vlEuni0fHKHASJljsadljklasdJKHnuAxjAz
 </sxh>
 \\
 \\
 == Fingerprint Changed ==
+Below is an example output when a devices public key has changed. If you receive the following warning and you believe the target device has NOT been re-installed/edited etc, then I would highly recommend being very cautious
 <sxh bash>
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@ Line 53: / Line 77: @@
 b:sa:a0:af:97:f8:0c:04:81:5b:ef:4d:56:ad:09:34.
 Please contact your system administrator.
-Update the SSHFP RR in DNS with the new host key to get rid of this message.
 The authenticity of host 'x.x.x.x (2001:4d48:ad51:2f00::2:2)' can't be established.
 RSA key fingerprint is 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23.
-No matching host key fingerprint found in DNS.
 Are you sure you want to continue connecting (yes/no)?
 </sxh>