ssh fingerprints don't match - Security

This is a discussion on ssh fingerprints don't match - Security ; Hi, From computer A I tried to access computer 'ibm'. A $ ssh ibm The authenticity of host 'ibm (192.168.2.30)' can't be established. RSA key fingerprint is 14:9a:................................ Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: ssh fingerprints don't match

  1. ssh fingerprints don't match

    Hi,

    From computer A I tried to access computer 'ibm'.

    A $ ssh ibm
    The authenticity of host 'ibm (192.168.2.30)' can't be established.
    RSA key fingerprint is 14:9a:................................ Are you sure
    you want to continue connecting (yes/no)? yes Warning: Permanently added
    'ibm' (RSA) to the list of known hosts. Enter passphrase for key
    '/home/jj/.ssh/id_rsa':

    And after I typed the password I got a shell from 'ibm'.


    ibm $ ssh-keygen -l
    Enter file in which the key is (/home/jj/.ssh/id_rsa):
    2048 8e:b0.......................
    /home/jj/.ssh/id_rsa.pub

    Shouldn't this fingerprint be identical to the one above?


    Luis P. Mendes

  2. Re: ssh fingerprints don't match

    "Luis P. Mendes" writes:

    > Hi,
    >
    > From computer A I tried to access computer 'ibm'.
    >
    > A $ ssh ibm
    > The authenticity of host 'ibm (192.168.2.30)' can't be established.
    > RSA key fingerprint is 14:9a:................................ Are you sure
    > you want to continue connecting (yes/no)? yes Warning: Permanently added
    > 'ibm' (RSA) to the list of known hosts. Enter passphrase for key
    > '/home/jj/.ssh/id_rsa':
    >
    > And after I typed the password I got a shell from 'ibm'.
    >
    >
    > ibm $ ssh-keygen -l
    > Enter file in which the key is (/home/jj/.ssh/id_rsa):
    > 2048 8e:b0.......................
    > /home/jj/.ssh/id_rsa.pub
    >
    > Shouldn't this fingerprint be identical to the one above?


    No.

    You want to check the server's key, not your personal key.

    ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
    ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

    And, to ensure you haven't been subject to a man in the middle attack,
    you shouldn't really go accepting server keys without checking them
    with a trusted user/owner of the system with console access to verify
    fingerprints. This starts bordering a little on paranoid, but it is
    best practice.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  3. Re: ssh fingerprints don't match

    Em Sun, 10 Dec 2006 23:31:23 -0600, Todd H. escreveu:

    > "Luis P. Mendes" writes:
    >
    >> Hi,
    >>
    >> From computer A I tried to access computer 'ibm'.
    >>
    >> A $ ssh ibm
    >> The authenticity of host 'ibm (192.168.2.30)' can't be established.
    >> RSA key fingerprint is 14:9a:................................ Are you sure
    >> you want to continue connecting (yes/no)? yes Warning: Permanently added
    >> 'ibm' (RSA) to the list of known hosts. Enter passphrase for key
    >> '/home/jj/.ssh/id_rsa':
    >>
    >> And after I typed the password I got a shell from 'ibm'.
    >>
    >>
    >> ibm $ ssh-keygen -l
    >> Enter file in which the key is (/home/jj/.ssh/id_rsa):
    >> 2048 8e:b0.......................
    >> /home/jj/.ssh/id_rsa.pub
    >>
    >> Shouldn't this fingerprint be identical to the one above?

    >
    > No.
    >
    > You want to check the server's key, not your personal key.
    >
    > ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
    > ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
    >
    > And, to ensure you haven't been subject to a man in the middle attack,
    > you shouldn't really go accepting server keys without checking them
    > with a trusted user/owner of the system with console access to verify
    > fingerprints. This starts bordering a little on paranoid, but it is
    > best practice.
    >
    > Best Regards,


    Thank you for your answer.

    I tried again and fingerprints match. Both computers are in my lan, so I
    was confident it would have to be my mistake!

    Best regards,

    Luis

+ Reply to Thread