Ssh /


(redirected from Openbsd.Sshkeys)

In order to prevent a Man-In-The-Middle attack (MITM)?, SSH requires you to check the fingerprints of the server you connect to. Fingerprints for the IRCNOW network servers can be found here for example.

Your SSH Fingerprints

When ssh server is installed, it stores its keys in /etc/ssh. You can run this script to quickly get the ssh fingerprints for all your keys:

ssh-keygen -E md5 -lf /etc/ssh/
ssh-keygen -E md5 -lf /etc/ssh/
ssh-keygen -E md5 -lf /etc/ssh/
ssh-keygen -lf /etc/ssh/
ssh-keygen -lf /etc/ssh/
ssh-keygen -lf /etc/ssh/

The first four fingerprints use MD5 hashing, which is used by PuTTY. The last four uses SHA256 hashing, which is used by OpenSSH?.

Publish SSHFP

A convenient place to publish ssh fingerprints is in DNS using SSHFP records:

$ ssh-keygen -r IN SSHFP 1 1 7251d06cf5cf9312b502388edd93ff924c52a73a IN SSHFP 1 2 a0f433e68e5ba29f23825b21a23660d94a5b8a814cd71827fb75cfb4e84e4c49 IN SSHFP 2 1 22ccda0cafee42f3e2cc53d5f695244677a1a88f IN SSHFP 2 2 88fbc099391d1e37330409978e68bdeebc50fe9bc41c5e2fd4a2d29ecde20409 IN SSHFP 3 1 c9a19b42a7165596f0d0e5bfa947232978901dcb IN SSHFP 3 2 6a9facbb8693644063b1eee91cfce24ada5536ff52df98210fae3d350fffaf34 IN SSHFP 4 1 4dc3d59ef28733c89f83e0e078b10a4a816e2a04 IN SSHFP 4 2 a1f1388dff27d02f942ea5a9e2cb6008ae3e0a61622e5ff2b1ce746b32049152

Replace with your domain, making sure to include the final period for a fully qualified domain name (FQDN). ssh will generate all of your SSHFP records for you, which can then be added to your nameserver's zone files.

SSHFP records follow this format:

<Name> [<TTL>] [<Class>] SSHFP <Algorithm> <Type> <Fingerprint>
TTLTime to live (seconds)
ProtocolIN for Internet
Algorithm0: reserved; 1: RSA; 2: DSA, 3: ECDSA; 4: Ed25519
TypeHash -- 0: reserved; 1: SHA-1; 2: SHA-256)
FingerprintHexadecimal of hash