Whenever we use SSH to connect to a new host, we usually see the following prompt asking us to confirm the fingerprint:
$ ssh email@example.com The authenticity of host 'somedomain.com' (220.127.116.11) can't be establised ECDSA key fingerprint is c8:2c:22:6d:13:.....29:b4:86:8d:13. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'somedomain.com,18.104.22.168' (ECDSA) to the list of known hosts
That series of characters (c8:2c:22:6d:13:…..29:b4:86:8d:13) is known as a SSH fingerprint.
- A fingerprint is a hash of a public key
- We use this hash to authenticate the public key of the sever we connect to
How do we find out if that fingerprint is actually valid ?
- Login into the server you want to SSH into
- Run ssh-keygen -lf <path to public key> # l => list, f => file
- The public key files are located at: /etc/ssh/
- There is 1 file for dsa, ecdsa, and rsa
- My server was using the ecdsa file: /etc/ssh/ssh_host_ecdsa.pub
- If the output from ssh-keygen matches up with the ssh output we are good to go!
The fingerprint is much shorter than the actual key, thus we can easily transmit it and use it to verify the public key.
If we accept the key, it gets added to ~/.ssh/known_hosts
In certain cases it is beneficial to automatically accept the public key, for example when we automate a script.
We can use ssh-keyscan to do this:
ssh-keyscan -H <ip-address> >> ~/.ssh/known_hosts ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts
There is also a ssh -oStrictHostKeyChecking=no option to turn off it. The GIT_SSH variable can be used to pass ssh options to git.
- ssh: automatically accept keys, askubuntu.com