SSH fingerprints

Whenever we use SSH to connect to a new host, we usually see the following prompt asking us to confirm the fingerprint:

$ ssh

The authenticity of host '' ( can't be establised
ECDSA key fingerprint is c8:2c:22:6d:13:.....29:b4:86:8d:13.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ',' (ECDSA) to the list of known hosts

That series of characters (c8:2c:22:6d:13:…..29:b4:86:8d:13) is known as a SSH fingerprint.

  • A fingerprint is a hash of a public key
  • We use this hash to authenticate the public key of the sever we connect to

How do we find out if that fingerprint is actually valid ?

  • Login into the server you want to SSH into
  • Run ssh-keygen -lf <path to public key> # l => list, f => file
  • The public key files are located at: /etc/ssh/
  • There is 1 file for dsa, ecdsa, and rsa
  • My server was using the ecdsa file: /etc/ssh/
  • If the output from ssh-keygen matches up with the ssh output we are good to go!

The fingerprint is much shorter than the actual key, thus we can easily transmit it and use it to verify the public key.

If we accept the key, it gets added to ~/.ssh/known_hosts


In certain cases it is beneficial to automatically accept the public key, for example when we automate a script.

We can use ssh-keyscan to do this:

ssh-keyscan -H <ip-address> >> ~/.ssh/known_hosts 
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts

There is also a ssh -oStrictHostKeyChecking=no option to turn off it. The GIT_SSH variable can be used to pass ssh options to git.


Tagged with: ,
Posted in Linux, Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: