[TriLUG] SSH Host Key Verification - Partially Solved

Matt Pusateri mpusateri at wickedtrails.com
Wed Jan 26 13:40:26 EST 2005 

On Wed, January 26, 2005 12:02 pm, Jeff Groves said:
> Matt Pusateri wrote:
>
>>Triluger's
>>
>>
>>I just built a brand new box(freebsd) yesterday and when I went to
>> ssh
>>into it for the first time, it asked me to accept the host key
>>fingerpirnt as you would suspect.  This got me thinking about how to
>>verify the fingerprint, so a little googleing came up with
>> "ssh-keygen
>>-l key" which prints out the fingerprint of the key you feed it.  Now
>>I have logged into the console and got my fingerprints, which
>>incidently match the fingerprints that I recorded when the server
>>booted for the first time and created the ssh keys.  But when I
>>connect via ssh the fingerprint does not match.  So is ssh-keygen -l
>>not the way to verify the host key fingerprint?  Or am I missing
>>something?
>>
>>The client is ssh corporation's  ssh shell for windows 3.2.9,
>>
>>And, No I have not been rooted :)
>>
>>
>>Thanks
>>
>>Matt Pusateri
>>
>>
>>
> I think that with the ssh-keygen command that you are using, you are
> retrieving your personal client key finger print (from the key in your
> .ssh subdirectory off of your home directory) and not that of the
> server.
>
> You need to find where the public key for your server resides and use
> that instead.
>
> On my Fedora core 2 machine, I use this command to get what I believe
> that you're looking for:
>
> ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
>
>
> Jeff G.

There is no ~/home/.ssh because I have never logged into this box
remotely yet, I have said no the they fingerprint.  Plus at least on
freebsd when you run ssh-keygen -l without specifying the key, then it
prompts you for the key, which I supplied from /etc/ssh which is where
all the host keys for the sshd live.  I did a ssh-keygen -l on the
host key as well as the host_rsa and host_dsa keys, both private and
public and none of them match the fingerprint that I am getting.

Ok, if I ssh from another Freebsd box, then the DSA fingerprint is
correct.  So, it seems as though the fingerprint is being given
correctly, maybe SSH.com's client is interpretating it wrong. Hm,
maybe I should stop using the evaluation version  or switch to putty
or cygwin.  Anyhow it appears the ssh-keygen -l does indeed tell you
the correct fingerprint, and it was the client that was causing the
problem.  Although I have been unable to determine what that client is
doing.

Matt Pusateri

More information about the TriLUG mailing list