User Tools

Site Tools

Trace: ssl_fingerprint
ssl_fingerprint

This is an old revision of the document!

Public Fingerprint

Overview
Used for identification/verification of the host you are connecting to


Explanation

A public key is encoded into a sequence of bytes (hashed with SHA1/SHA2) - this can then be recreated when next connecting to the device to verify that the device is the same device you connected to before.

If the fingerprint has changed, it means the machine you are connecting to has had their public key changed.
This could be due to OS re-installs, re-installing ssh
However this could also mean that the machine you are connecting to is different. If you are sshing to a domain then the server behind the domain may have changed, or you could be targeted by a main-in-the-middle attack where the attacker somehow intercepts/reroutes your ssh connection to a different machine. They could be doing this to snoop your username and password combination.

A servers public key is stored: 

/etc/ssh/ssh_host_rsa_key.pub


When sshing to a device for the first time you will see something similar to: 
The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established.
RSA key fingerprint is 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9.
Are you sure you want to continue connecting (yes/no)?

If you now run the following command on the server you have just connected to, you should get the same RSA fingerprint: 

cd /etc/ssh
for file in *sa_key.pub
do   ssh-keygen -lf $file
done
Ouput should be similar: 
1024 df:7e:cd:54:4a:76:78:3e:2a:23:32:de:30:6n:09:43 ssh_host_dsa_key.pub (DSA)
2048 59:c7:8c:34:e7:97:c1:3z:e4:3a:13:e2:g6:39:7c:k9 ssh_host_rsa_key.pub (RSA)


Fingerprint Changed

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
2b:sa:a0:af:97:f8:0c:04:81:5b:ef:4d:56:ad:09:34.
Please contact your system administrator.
Update the SSHFP RR in DNS with the new host key to get rid of this message.
The authenticity of host 'x.x.x.x (2001:4d48:ad51:2f00::2:2)' can't be established.
RSA key fingerprint is 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

ssh-keygen
Flag Explanation
-l Show fingerprint of specified public key file. Private RSA1 keys are also supported.
For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint
-f file name




Security Threats

- Man-in-the-middle Attack
- Preimage Attack
- Collision Attack

http://www.phcomp.co.uk/Tutorials/Unix-And-Linux/ssh-check-server-fingerprint.html
https://en.wikipedia.org/wiki/Public_key_fingerprint
http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

ssl_fingerprint.1462519326.txt.gz · Last modified: 2024/05/23 07:26 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki