Obtain and verify your SSH key fingerprint

Source: Internet
Author: User

Sometimes you find that the SSH key has changed after logging on to a machine. This situation may be caused by man-in-the-middle attacks, but in more cases, the host is rebuilt, A new SSH key is generated (so when you recreate the server, you need to develop a good habit of saving and restoring the SSH key ).

So how should I check the fingerprint?

You can directly obtain the public key from the remote server through the network:

 


Ssh-keyscan-p 22-t rsa, dsa remote_host>/tmp/ssh_host_rsa_dsa_key.pub

Then you can use this file to generate a fingerprint:


Ssh-keygen-l-f/tmp/ssh_host_rsa_dsa_key.pub

However, if your key is changed under other factors and you want to explore the reasons for the change, the network approach is not enough. Try other methods to log on to the real machine (such as through the Management Console or KVM console), and then generate a fingerprint:


Ssh-keygen-lf/etc/ssh/ssh_host_dsa_key

Ssh-keygen-lf/etc/ssh/ssh_host_rsa_key

Then, compare it with your fingerprint obtained through the network. If they match, everything is fine. If they do not match, you may be in trouble.

If the fingerprint does not match, you should first perform a network scan for the ARP request to see which IP Address has responded to the ARP request. During ping, scan to see if there are any ARP requests. If there are two hosts, they will "Snap" each other for an ARP entry, and you should be able to see two responses.

Once you know the ethernet address of the mysterious host, you can track ARP traffic through the routing (or switch) interface.

Original article: http://administratosphere.wordpress.com/2011/05/28/getting-and-verifying-ssh-fingerprints/

 

[SSH key fingerprint]

To avoid man-in-the-middle attacks, when the Administrator remotely connects to the host through SSH, SSH generates host fingerprints and requests them to be saved. The server administrator can send a key fingerprint to the client to verify the authenticity of the server upon the first login. In subsequent connections, the system will verify that the fingerprint matches the saved fingerprint. If the password does not match, SSH will give a warning about the key change.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.