ssh fingerprints don't match
This is a discussion on ssh fingerprints don't match within the Linux Security forums, part of the System Security and Security Related category; Hi, From computer A I tried to access computer 'ibm'. A $ ssh ibm The authenticity of host 'ibm (192.168....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-11-2006
|
|||
|
|||
ssh fingerprints don't match
Hi,
From computer A I tried to access computer 'ibm'. A $ ssh ibm The authenticity of host 'ibm (192.168.2.30)' can't be established. RSA key fingerprint is 14:9a:................................ Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ibm' (RSA) to the list of known hosts. Enter passphrase for key '/home/jj/.ssh/id_rsa': And after I typed the password I got a shell from 'ibm'. ibm $ ssh-keygen -l Enter file in which the key is (/home/jj/.ssh/id_rsa): 2048 8e:b0....................... /home/jj/.ssh/id_rsa.pub Shouldn't this fingerprint be identical to the one above? Luis P. Mendes 
|
|
12-11-2006
|
|||
|
|||
|
Re: ssh fingerprints don't match
"Luis P. Mendes" <lupe@localhost.localdomain> writes:
> Hi, > > From computer A I tried to access computer 'ibm'. > > A $ ssh ibm > The authenticity of host 'ibm (192.168.2.30)' can't be established. > RSA key fingerprint is 14:9a:................................ Are you sure > you want to continue connecting (yes/no)? yes Warning: Permanently added > 'ibm' (RSA) to the list of known hosts. Enter passphrase for key > '/home/jj/.ssh/id_rsa': > > And after I typed the password I got a shell from 'ibm'. > > > ibm $ ssh-keygen -l > Enter file in which the key is (/home/jj/.ssh/id_rsa): > 2048 8e:b0....................... > /home/jj/.ssh/id_rsa.pub > > Shouldn't this fingerprint be identical to the one above? No. You want to check the server's key, not your personal key. ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub And, to ensure you haven't been subject to a man in the middle attack, you shouldn't really go accepting server keys without checking them with a trusted user/owner of the system with console access to verify fingerprints. This starts bordering a little on paranoid, but it is best practice. Best Regards, -- Todd H. http://www.toddh.net/
|
|
12-11-2006
|
|||
|
|||
|
Re: ssh fingerprints don't match
Em Sun, 10 Dec 2006 23:31:23 -0600, Todd H. escreveu:
> "Luis P. Mendes" <lupe@localhost.localdomain> writes: > >> Hi, >> >> From computer A I tried to access computer 'ibm'. >> >> A $ ssh ibm >> The authenticity of host 'ibm (192.168.2.30)' can't be established. >> RSA key fingerprint is 14:9a:................................ Are you sure >> you want to continue connecting (yes/no)? yes Warning: Permanently added >> 'ibm' (RSA) to the list of known hosts. Enter passphrase for key >> '/home/jj/.ssh/id_rsa': >> >> And after I typed the password I got a shell from 'ibm'. >> >> >> ibm $ ssh-keygen -l >> Enter file in which the key is (/home/jj/.ssh/id_rsa): >> 2048 8e:b0....................... >> /home/jj/.ssh/id_rsa.pub >> >> Shouldn't this fingerprint be identical to the one above? > > No. > > You want to check the server's key, not your personal key. > > ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub > ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub > > And, to ensure you haven't been subject to a man in the middle attack, > you shouldn't really go accepting server keys without checking them > with a trusted user/owner of the system with console access to verify > fingerprints. This starts bordering a little on paranoid, but it is > best practice. > > Best Regards, Thank you for your answer. I tried again and fingerprints match. Both computers are in my lan, so I was confident it would have to be my mistake! Best regards, Luis
|
Linear Mode
