Last active
October 9, 2023 05:26
-
-
Save GlenCooper/a4ed2e078308d7408c4818c4ae5b109f to your computer and use it in GitHub Desktop.
How to see what the ssh fingerprints are for a host you are attempting to ssh into
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sometimes when you ssh to a new host, you will see a warning message from your ssh client asking you to verify | |
that the ssh fingerprint is correct. | |
In order to confirm that the fingerprint is truly correct you should run the following command from the host | |
that you are trying to ssh into and you see that message: | |
$ for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done | |
This should be done before accepting the fingerprint that you are presented is the correct one. Ideally you would have | |
another way to access the host you are ssh'ing into. Either console access to it, or a trusted person who has console access. | |
Example: | |
We are starting from hostname realip, and want to ssh to 192.168.1.189 (whose hostname is margaret). | |
20230917T192147Z: crystamped@mab:~$ ssh crystamped@192.168.1.189 | |
The authenticity of host '192.168.1.189 (192.168.1.189)' can't be established. | |
ECDSA key fingerprint is SHA256:NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk. | |
Are you sure you want to continue connecting (yes/no/[fingerprint])? | |
This is the point where we should find another way to get on margaret and issue the command: | |
for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done | |
... like this; | |
20230917T191424Z: crystamped@margaret:~₿ for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done | |
256 SHA256:NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk root@margaret (ECDSA) | |
256 SHA256:dw7noNRHbtUn3Xsq4gEIirErU9NXW0DPDhscMb3v7IA root@margaret (ED25519) | |
3072 SHA256:07hZ+g0U69kYMnjuu/81KA3Qvntzbx2VROYjniZdnDg root@margaret (RSA) | |
20230917T191425Z: crystamped@margaret:~₿ | |
Now that you have seen the actual ssh fingerprints on that host, you can rightfully either accept or deny the fingerprint | |
that is shown when you attempted to ssh into that host. A quick scan through the 4 fingerprints shown on margaret shows | |
that we have a matching fingerprint, "NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk", so we can rightfully answer "yes" to | |
the question about the fingerprint that we saw when attempting to ssh in. | |
20230917T192147Z: crystamped@mab:~$ ssh crystamped@192.168.1.189 | |
The authenticity of host '192.168.1.189 (192.168.1.189)' can't be established. | |
ECDSA key fingerprint is SHA256:NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk. | |
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
Warning: Permanently added '192.168.1.189' (ECDSA) to the list of known hosts. | |
Enter passphrase for key '/home/crystamped/.ssh/id_rsa': | |
crystamped@192.168.1.189's password: | |
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-32-generic x86_64) | |
* Documentation: https://help.ubuntu.com | |
* Management: https://landscape.canonical.com | |
* Support: https://ubuntu.com/advantage | |
1 device has a firmware upgrade available. | |
Run `fwupdmgr get-upgrades` for more information. | |
Expanded Security Maintenance for Applications is enabled. | |
0 updates can be applied immediately. | |
1 device has a firmware upgrade available. | |
Run `fwupdmgr get-upgrades` for more information. | |
Last login: Sun Sep 17 19:17:27 2023 from 192.168.1.189 | |
20230813T023623Z: This is onvpn.sh checking; are we connected to VPN? | |
$positiveValueWhenOnVPN = 1 | |
onvpn.sh says VPN is active. | |
20230917T192233Z: VPN is on | |
⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀ | |
⠀⠀⠀⠀⠀⣠⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣄⠀⠀⠀⠀⠀ | |
⠀⠀⠀⣠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⠀⠀⠀ | |
⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿⠟⠿⠿⡿⠀⢰⣿⠁⢈⣿⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀ | |
⠀⣼⣿⣿⣿⣿⣿⣿⣿⣿⣤⣄⠀⠀⠀⠈⠉⠀⠸⠿⣿⣿⣿⣿⣿⣿⣿⣿⣧⠀ | |
⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡏⠀⠀⢠⣶⣶⣤⡀⠀⠈⢻⣿⣿⣿⣿⣿⣿⣿⡆ | |
⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⠼⣿⣿⡿⠃⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣷ | |
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠀⠀⢀⣀⣀⠀⠀⠀⠀⢴⣿⣿⣿⣿⣿⣿⣿⣿⣿ | |
⢿⣿⣿⣿⣿⣿⣿⣿⢿⣿⠁⠀⠀⣼⣿⣿⣿⣦⠀⠀⠈⢻⣿⣿⣿⣿⣿⣿⣿⡿ | |
⠸⣿⣿⣿⣿⣿⣿⣏⠀⠀⠀⠀⠀⠛⠛⠿⠟⠋⠀⠀⠀⣾⣿⣿⣿⣿⣿⣿⣿⠇ | |
⠀⢻⣿⣿⣿⣿⣿⣿⣿⣿⠇⠀⣤⡄⠀⣀⣀⣀⣀⣠⣾⣿⣿⣿⣿⣿⣿⣿⡟⠀ | |
⠀⠀⠻⣿⣿⣿⣿⣿⣿⣿⣄⣰⣿⠁⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠀⠀ | |
⠀⠀⠀⠙⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀ | |
⠀⠀⠀⠀⠀⠙⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠋⠀⠀⠀⠀⠀ | |
⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠻⠿⢿⣿⣿⣿⣿⡿⠿⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀ | |
$icanhazip="209.54.101.182" | |
{ | |
"ip": "209.54.101.182", | |
"hostname": "209.54.101.182.static.quadranet.com", | |
"city": "Secaucus", | |
"region": "New Jersey", | |
"country": "US", | |
"loc": "40.7895,-74.0565", | |
"org": "AS8100 QuadraNet Enterprises LLC", | |
"postal": "07094", | |
"timezone": "America/New_York" | |
} | |
20230917T192233Z: crystamped@margaret:~₿ exit | |
logout | |
Connection to 192.168.1.189 closed. | |
20230917T192249Z: crystamped@mab:~$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I made this a bit easier to use by creating an alias for it that is loaded whenever a new shell is launched;