How to remotely verify ssh host key from CLI












1















So given the following assumptions:



1) I wish to ssh to a remote host for the first time



2) ssh-keyscan shows this:



pwaugh$ ssh-keyscan -t ecdsa pi                                      
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$


3) ssh pi@pi gives me this:



pwaugh$ ssh pi@pi
The authenticity of host 'pi (192.168.1.12)' can't be established.
ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
pwaugh$


QUESTION #1:
How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?

(other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)



I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?



I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.



QUESTION #2:
When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)



Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.



Patrick










share|improve this question



























    1















    So given the following assumptions:



    1) I wish to ssh to a remote host for the first time



    2) ssh-keyscan shows this:



    pwaugh$ ssh-keyscan -t ecdsa pi                                      
    # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$


    3) ssh pi@pi gives me this:



    pwaugh$ ssh pi@pi
    The authenticity of host 'pi (192.168.1.12)' can't be established.
    ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
    Are you sure you want to continue connecting (yes/no)? no
    Host key verification failed.
    pwaugh$


    QUESTION #1:
    How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?

    (other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)



    I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?



    I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.



    QUESTION #2:
    When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)



    Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.



    Patrick










    share|improve this question

























      1












      1








      1








      So given the following assumptions:



      1) I wish to ssh to a remote host for the first time



      2) ssh-keyscan shows this:



      pwaugh$ ssh-keyscan -t ecdsa pi                                      
      # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$


      3) ssh pi@pi gives me this:



      pwaugh$ ssh pi@pi
      The authenticity of host 'pi (192.168.1.12)' can't be established.
      ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
      Are you sure you want to continue connecting (yes/no)? no
      Host key verification failed.
      pwaugh$


      QUESTION #1:
      How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?

      (other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)



      I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?



      I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.



      QUESTION #2:
      When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)



      Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.



      Patrick










      share|improve this question














      So given the following assumptions:



      1) I wish to ssh to a remote host for the first time



      2) ssh-keyscan shows this:



      pwaugh$ ssh-keyscan -t ecdsa pi                                      
      # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$


      3) ssh pi@pi gives me this:



      pwaugh$ ssh pi@pi
      The authenticity of host 'pi (192.168.1.12)' can't be established.
      ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
      Are you sure you want to continue connecting (yes/no)? no
      Host key verification failed.
      pwaugh$


      QUESTION #1:
      How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?

      (other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)



      I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?



      I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.



      QUESTION #2:
      When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)



      Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.



      Patrick







      ssh openssh






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 6 at 2:14









      patrickpatrick

      62




      62






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:



          $ ssh-keyscan pi | ssh-keygen -lf -
          # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
          # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
          # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
          256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
          2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
          256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
          $ _


          This is so that I don't have to physically do this on the host:



          $ ssh-keygen -lf ./.ssh/known_hosts


          Patrick






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1391052%2fhow-to-remotely-verify-ssh-host-key-from-cli%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:



            $ ssh-keyscan pi | ssh-keygen -lf -
            # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
            # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
            # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
            256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
            2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
            256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
            $ _


            This is so that I don't have to physically do this on the host:



            $ ssh-keygen -lf ./.ssh/known_hosts


            Patrick






            share|improve this answer




























              0














              Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:



              $ ssh-keyscan pi | ssh-keygen -lf -
              # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
              # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
              # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
              256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
              2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
              256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
              $ _


              This is so that I don't have to physically do this on the host:



              $ ssh-keygen -lf ./.ssh/known_hosts


              Patrick






              share|improve this answer


























                0












                0








                0







                Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:



                $ ssh-keyscan pi | ssh-keygen -lf -
                # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
                # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
                # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
                256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
                2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
                256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
                $ _


                This is so that I don't have to physically do this on the host:



                $ ssh-keygen -lf ./.ssh/known_hosts


                Patrick






                share|improve this answer













                Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:



                $ ssh-keyscan pi | ssh-keygen -lf -
                # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
                # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
                # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
                256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
                2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
                256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
                $ _


                This is so that I don't have to physically do this on the host:



                $ ssh-keygen -lf ./.ssh/known_hosts


                Patrick







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 6 at 4:10









                patrickpatrick

                62




                62






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1391052%2fhow-to-remotely-verify-ssh-host-key-from-cli%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    Origin of the phrase “under your belt”?