SSH Fingerprints

You are here:
Estimated reading time: 2 min

Sciama like most other servers uses the S(ecure)SH(ell) protocol to allow users to work on it from a remote computer. The connection is encrypted to ensure that nobody can intercept and alter the commands sent to Sciama or the output sent back to the user once the connection is established. But one of the weak spots in the system is to ensure that you are actually connected to the right server. So-called ‘Man-in-the-middle’ attacks can reroute your connection through a third server which then works as a relay between you and your target, but listens and potentially alters data exchanged between the user and Sciama.

This is why a digital fingerprint is provided when you log into a server. If you haven’t logged on to the server before from your current computer, this fingerprint will be presented to you and you need to confirm its authenticity (see below on how to do so).

The authenticity of host ‘login4.sciama.icg.port.ac.uk (148.197.10.71)’ can’t be established.
RSA key fingerprint is SHA256:zELprgvBZmyQRQ5/6/a58e3e660bR3lJZItu18pnZcg.
RSA key fingerprint is MD5:5f:ac:29:ac:7e:c6:73:65:98:59:f1:8f:df:e3:15:ba.
Are you sure you want to continue connecting (yes/no)? yes

Confirm this to complete the log-in. Now we have to verify that the presented fingerprint actually belongs to the target server we wanted to log into (and not to some ‘man-in-the-middle’ relay eavesdropping on our connection). To do so, simply type into the command line on the login server :-

ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key.pub

It should present you an output like

2048 5f:ac:29:ac:7e:c6:73:65:98:59:f1:8f:df:e3:15:ba /etc/ssh/ssh_host_rsa_key.pub (RSA)

which confirms (by comparing with the MD5 fingerprint from your login) that the fingerprint actually originated from the target server and that the encryption between it and the user is not compromised.

Once you have logged in for the first time, this fingerprint will be stored on your local computer and you should never be asked about it again as long as the login server does not change (e.g. by reinstallation).  Otherwise you may see an error message like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:zELprgvBZmyQRQ5/6/a58e3e660bR3lJZItu18pnZcg.
Please contact your system administrator.
Add correct host key in $HOME/.ssh/known_hosts to get rid of this message.
Offending RSA key in $HOME/.ssh/known_hosts:24
RSA host key for login4.sciama.icg.port.ac.uk has changed and you have requested strict checking.
Host key verification failed.

If you are not aware of any reinstallation of the login servers that may have triggered this change of fingerprint, please be VERY cautious here and contact the SCIAMA support immediately. If you happen to know that the fingerprint has changed then follow the instructions and remove the fingerprint in question from the $HOME/.ssh/known_hosts file on your computer. When you log in know, the login server should be treated as a previously unknown server and you will be presented with the new fingerprint that you can then verify as described above.

Was this article helpful?
Dislike 0
Views: 73