Skip to content

Instantly share code, notes, and snippets.

@GlenCooper

GlenCooper/how_to_see_ssh_fingerprints.txt

Last active October 9, 2023 05:26
Show Gist options
  • Save GlenCooper/a4ed2e078308d7408c4818c4ae5b109f to your computer and use it in GitHub Desktop.
Save GlenCooper/a4ed2e078308d7408c4818c4ae5b109f to your computer and use it in GitHub Desktop.
Download ZIP
How to see what the ssh fingerprints are for a host you are attempting to ssh into
Raw
how_to_see_ssh_fingerprints.txt
Sometimes when you ssh to a new host, you will see a warning message from your ssh client asking you to verify
that the ssh fingerprint is correct.
In order to confirm that the fingerprint is truly correct you should run the following command from the host
that you are trying to ssh into and you see that message:
$ for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done
This should be done before accepting the fingerprint that you are presented is the correct one. Ideally you would have
another way to access the host you are ssh'ing into. Either console access to it, or a trusted person who has console access.
Example:
We are starting from hostname realip, and want to ssh to 192.168.1.189 (whose hostname is margaret).
20230917T192147Z: crystamped@mab:~$ ssh crystamped@192.168.1.189
The authenticity of host '192.168.1.189 (192.168.1.189)' can't be established.
ECDSA key fingerprint is SHA256:NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
This is the point where we should find another way to get on margaret and issue the command:
for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done
... like this;
20230917T191424Z: crystamped@margaret:~₿ for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done
256 SHA256:NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk root@margaret (ECDSA)
256 SHA256:dw7noNRHbtUn3Xsq4gEIirErU9NXW0DPDhscMb3v7IA root@margaret (ED25519)
3072 SHA256:07hZ+g0U69kYMnjuu/81KA3Qvntzbx2VROYjniZdnDg root@margaret (RSA)
20230917T191425Z: crystamped@margaret:~₿
Now that you have seen the actual ssh fingerprints on that host, you can rightfully either accept or deny the fingerprint
that is shown when you attempted to ssh into that host. A quick scan through the 4 fingerprints shown on margaret shows
that we have a matching fingerprint, "NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk", so we can rightfully answer "yes" to
the question about the fingerprint that we saw when attempting to ssh in.
20230917T192147Z: crystamped@mab:~$ ssh crystamped@192.168.1.189
The authenticity of host '192.168.1.189 (192.168.1.189)' can't be established.
ECDSA key fingerprint is SHA256:NJq7L7jJ5nIpoyEPGgf+Z7XXVzXFqesN3rgk0bwE3zk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.189' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/crystamped/.ssh/id_rsa':
crystamped@192.168.1.189's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-32-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
Expanded Security Maintenance for Applications is enabled.
0 updates can be applied immediately.
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
Last login: Sun Sep 17 19:17:27 2023 from 192.168.1.189
20230813T023623Z: This is onvpn.sh checking; are we connected to VPN?
$positiveValueWhenOnVPN = 1
onvpn.sh says VPN is active.
20230917T192233Z: VPN is on
⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⣠⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣄⠀⠀⠀⠀⠀
⠀⠀⠀⣠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⠀⠀⠀
⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿⠟⠿⠿⡿⠀⢰⣿⠁⢈⣿⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀
⠀⣼⣿⣿⣿⣿⣿⣿⣿⣿⣤⣄⠀⠀⠀⠈⠉⠀⠸⠿⣿⣿⣿⣿⣿⣿⣿⣿⣧⠀
⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡏⠀⠀⢠⣶⣶⣤⡀⠀⠈⢻⣿⣿⣿⣿⣿⣿⣿⡆
⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⠼⣿⣿⡿⠃⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣷
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠀⠀⢀⣀⣀⠀⠀⠀⠀⢴⣿⣿⣿⣿⣿⣿⣿⣿⣿
⢿⣿⣿⣿⣿⣿⣿⣿⢿⣿⠁⠀⠀⣼⣿⣿⣿⣦⠀⠀⠈⢻⣿⣿⣿⣿⣿⣿⣿⡿
⠸⣿⣿⣿⣿⣿⣿⣏⠀⠀⠀⠀⠀⠛⠛⠿⠟⠋⠀⠀⠀⣾⣿⣿⣿⣿⣿⣿⣿⠇
⠀⢻⣿⣿⣿⣿⣿⣿⣿⣿⠇⠀⣤⡄⠀⣀⣀⣀⣀⣠⣾⣿⣿⣿⣿⣿⣿⣿⡟⠀
⠀⠀⠻⣿⣿⣿⣿⣿⣿⣿⣄⣰⣿⠁⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠀⠀
⠀⠀⠀⠙⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀
⠀⠀⠀⠀⠀⠙⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠋⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠻⠿⢿⣿⣿⣿⣿⡿⠿⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀
$icanhazip="209.54.101.182"
{
"ip": "209.54.101.182",
"hostname": "209.54.101.182.static.quadranet.com",
"city": "Secaucus",
"region": "New Jersey",
"country": "US",
"loc": "40.7895,-74.0565",
"org": "AS8100 QuadraNet Enterprises LLC",
"postal": "07094",
"timezone": "America/New_York"
}
20230917T192233Z: crystamped@margaret:~₿ exit
logout
Connection to 192.168.1.189 closed.
20230917T192249Z: crystamped@mab:~$
@GlenCooper
Copy link
Author

I made this a bit easier to use by creating an alias for it that is loaded whenever a new shell is launched;

20231001T120650Z: crystamped@mab:~$ mykeys
256 SHA256:4z0Lv3v2lSx5wBvInyLWBQNI9ZkMUdhV5embtd2IYWg root@mab (ECDSA)
256 SHA256:8DxRQe6CsieBt6vB4OMJbVuaFgr0ZtZ0WDw45AX9O4Q root@mab (ED25519)
3072 SHA256:AKs8apkZCKVV4C95YohyAoDTbgq/Fw93310xR65WOOo root@mab (RSA)
20231001T120652Z: crystamped@mab:~$ type mykeys
mykeys is aliased to `for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done'
20231001T120658Z: crystamped@mab:~$ cat ~/.bashrc | grep shared
if [ -f ~/.aliases_shared ]; then
  . ~/.aliases_shared
20231001T120715Z: crystamped@mab:~$ cat ~/.aliases_shared | grep mykeys
alias mykeys='for pubkey_file in /etc/ssh/*.pub; do ssh-keygen -lf ${pubkey_file} -E sha256; done'
20231001T120726Z: crystamped@mab:~$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment