Ssh /

Fingerprints

In order to prevent a Man-In-The-Middle attack (MITM)?, SSH requires you to check the fingerprints of the server you connect to. For example, fingerprints for IRCNow servers should be verified before connecting to IRCNow with SSH.

Your SSH Fingerprints

When the ssh server is installed, it stores its keys in /etc/ssh. You can run this script to quickly get the ssh fingerprints for all your keys:

ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ecdsa_key.pub
ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub
ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

The first four fingerprints use MD5 hashing, which is used by PuTTY. The last four uses SHA256 hashing, which is used by OpenSSH?.

Publish SSHFP

A convenient place to publish ssh fingerprints is in DNS using SSHFP records:

$ ssh-keygen -r example.com.
example.com IN SSHFP 1 1 7251d06cf5cf9312b502388edd93ff924c52a73a
example.com IN SSHFP 1 2 a0f433e68e5ba29f23825b21a23660d94a5b8a814cd71827fb75cfb4e84e4c49
example.com IN SSHFP 2 1 22ccda0cafee42f3e2cc53d5f695244677a1a88f
example.com IN SSHFP 2 2 88fbc099391d1e37330409978e68bdeebc50fe9bc41c5e2fd4a2d29ecde20409
example.com IN SSHFP 3 1 c9a19b42a7165596f0d0e5bfa947232978901dcb
example.com IN SSHFP 3 2 6a9facbb8693644063b1eee91cfce24ada5536ff52df98210fae3d350fffaf34
example.com IN SSHFP 4 1 4dc3d59ef28733c89f83e0e078b10a4a816e2a04
example.com IN SSHFP 4 2 a1f1388dff27d02f942ea5a9e2cb6008ae3e0a61622e5ff2b1ce746b32049152

Replace example.com. with your domain, making sure to include the final period for a fully qualified domain name (FQDN). ssh will generate all of your SSHFP records for you, which can then be added to your nameserver's zone files.

SSHFP records follow this format:

<Name> [<TTL>] [<Protocol>] SSHFP <Algorithm> <Type> <Fingerprint>
KeywordMeaning
TTLTime to live (seconds)
ProtocolIN for Internet
Algorithm0: reserved; 1: RSA; 2: DSA, 3: ECDSA; 4: Ed25519
TypeHash -- 0: reserved; 1: SHA-1; 2: SHA-256)
FingerprintHexadecimal of hash

DNSSEC should be enabled for better security.

SSH clients can then verify if the fingerprints match by enabling the option VerifyHostKeyDNS:

$ ssh -o "VerifyHostKeyDNS yes" example.com

If the fingerprints match, you will see a line similar to the following:

Matching host key fingerprint found in DNS.