How to remotely verify ssh host key from CLI
So given the following assumptions:
1) I wish to ssh to a remote host for the first time
2) ssh-keyscan shows this:
pwaugh$ ssh-keyscan -t ecdsa pi
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$
3) ssh pi@pi gives me this:
pwaugh$ ssh pi@pi
The authenticity of host 'pi (192.168.1.12)' can't be established.
ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
pwaugh$
QUESTION #1:
How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?
(other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)
I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?
I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.
QUESTION #2:
When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)
Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.
Patrick
ssh openssh
asked Jan 6 at 2:14
patrickpatrick
62
add a comment |
So given the following assumptions:
1) I wish to ssh to a remote host for the first time
2) ssh-keyscan shows this:
pwaugh$ ssh-keyscan -t ecdsa pi
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$
3) ssh pi@pi gives me this:
pwaugh$ ssh pi@pi
The authenticity of host 'pi (192.168.1.12)' can't be established.
ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
pwaugh$
QUESTION #1:
How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?
(other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)
I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?
I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.
QUESTION #2:
When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)
Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.
Patrick
ssh openssh
asked Jan 6 at 2:14
patrickpatrick
62
add a comment |
So given the following assumptions:
1) I wish to ssh to a remote host for the first time
2) ssh-keyscan shows this:
pwaugh$ ssh-keyscan -t ecdsa pi
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$
3) ssh pi@pi gives me this:
pwaugh$ ssh pi@pi
The authenticity of host 'pi (192.168.1.12)' can't be established.
ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
pwaugh$
QUESTION #1:
How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?
(other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)
I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?
I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.
QUESTION #2:
When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)
Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.
Patrick
ssh openssh
asked Jan 6 at 2:14
patrickpatrick
62
So given the following assumptions:
1) I wish to ssh to a remote host for the first time
2) ssh-keyscan shows this:
pwaugh$ ssh-keyscan -t ecdsa pi
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 pi ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEQVybySS0o5UWGHC0Qq1/pkDWZ0gK4nxUDdQEGdxWo3Dl5XMfMr+m6l5GDo7eID23j3N5Gwh7pGyea3WQbRWAk= pwaugh$
3) ssh pi@pi gives me this:
pwaugh$ ssh pi@pi
The authenticity of host 'pi (192.168.1.12)' can't be established.
ECDSA key fingerprint is SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
pwaugh$
QUESTION #1:
How can I confirm the SHA256 hash of the key returned from the server with ssh is the equivalent of the full key returned by ssh-keyscan?
(other than on the terminal $ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key)
I'm guessing that if this were possible, it would leave me open to a man-in-the-middle attack, unless I eventually did verify it on the terminal, right?
I'm also guessing that a better method would just be gather the keys, add them to known_hosts, and then let ssh verify them for me anyway. But just curious.
QUESTION #2:
When connecting for the first time, and getting the confirm host message/key, it defaults to the ecdsa key. Is this less secure than using the ed25519 key? Can I force it to check that key? (Probably have to delete other host keys I'm guessing)
Thanks for any thoughts. I've reviewed the man files, and even a book on ssh, and just unclear on this.
Patrick
ssh openssh
ssh openssh
asked Jan 6 at 2:14
patrickpatrick
62
asked Jan 6 at 2:14
patrickpatrick
62
asked Jan 6 at 2:14
patrickpatrick
62
asked Jan 6 at 2:14
patrickpatrick
62
asked Jan 6 at 2:14
patrickpatrick
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:
$ ssh-keyscan pi | ssh-keygen -lf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
$ _
This is so that I don't have to physically do this on the host:
$ ssh-keygen -lf ./.ssh/known_hosts
Patrick
answered Jan 6 at 4:10
patrickpatrick
62
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1391052%2fhow-to-remotely-verify-ssh-host-key-from-cli%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:
$ ssh-keyscan pi | ssh-keygen -lf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
$ _
This is so that I don't have to physically do this on the host:
$ ssh-keygen -lf ./.ssh/known_hosts
Patrick
answered Jan 6 at 4:10
patrickpatrick
62
add a comment |
Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:
$ ssh-keyscan pi | ssh-keygen -lf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
$ _
This is so that I don't have to physically do this on the host:
$ ssh-keygen -lf ./.ssh/known_hosts
Patrick
answered Jan 6 at 4:10
patrickpatrick
62
add a comment |
Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:
$ ssh-keyscan pi | ssh-keygen -lf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
$ _
This is so that I don't have to physically do this on the host:
$ ssh-keygen -lf ./.ssh/known_hosts
Patrick
answered Jan 6 at 4:10
patrickpatrick
62
Where 'pi' is the host of interest, I can request the keys, and then pipe them to ssh-kegen as follows:
$ ssh-keyscan pi | ssh-keygen -lf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
$ _
This is so that I don't have to physically do this on the host:
$ ssh-keygen -lf ./.ssh/known_hosts
Patrick
answered Jan 6 at 4:10
patrickpatrick
62
answered Jan 6 at 4:10
patrickpatrick
62
answered Jan 6 at 4:10
patrickpatrick
62
answered Jan 6 at 4:10
patrickpatrick
62
62
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1391052%2fhow-to-remotely-verify-ssh-host-key-from-cli%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
