Security for SSH

Jamon Camisso jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Fri Jun 10 20:08:10 UTC 2011


On 06/10/2011 03:56 PM, Mike wrote:
> Even keyless password exchanges are encrypted by the host ssh keys.
> The question is whether you are certain the other side is who it
> claims to be...

If you do not know or trust a host that you are connecting to the first
time, you will be prompted to accept the fingerprint of said host.

The fingerprint can be obtained using ssh-keygen. If your host is using say:
HostKey /etc/ssh/ssh_host_rsa_key

Have someone run the following:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

The result will look like this:
2048 9d:89:eb:15:ee:3a:63:dc:5a:77:34:fd:36:07:fb:7c
/etc/ssh/ssh_host_rsa_key.pub (RSA)

Have that person communicate the fingerprint of that key to you using
some out-of-band method. Then when you first connect to the host, you
will be able to compare the fingerprints and validate the identity of
the remote host before actually connecting.

For example:
The authenticity of host <snip> can't be established.
RSA key fingerprint is 9d:89:eb:15:ee:3a:63:dc:5a:77:34:fd:36:07:fb:7c.
Are you sure you want to continue connecting (yes/no)?

Jamon
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list