ssh how to verify your host key / avoid MIM attacks

SSH helps keep us secure in many ways, one of those is the host-key fingerprint which is unique.  If you have been connecting to an SSH server that you've made no changes to and suddenly ssh warns that the key doesn't match then you have a problem.

But how about connecting to an existing server for the first time on a new machine or client?

A lot of new clients calculate it using an SHA256 hash but it is not as easy on your host machine to produce the same style hash without some hacking around.

The authenticity of host 'somehow (172.16.5.2)' can't be established.
RSA key fingerprint is SHA256:alalalalleieieieieiala.
Are you sure you want to continue connecting (yes/no)?

If using ecdsa just do this:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

The key should match the SHA256 shown in your connection attempt.


 

So we can get the MD5 hash by using this option:

ssh -o fingerprinthash=md5 user@host
The authenticity of host 'somehow (172.16.5.2)' can't be established.
RSA key fingerprint is MD5:aa:sldka;:ksdkjd::kala:kfdkls:1.
Are you sure you want to continue connecting (yes/no)?

 

How do we get the md5 hash on our host?

ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
aa:sldka;:ksdkjd::kala:kfdkls:1 /etc/ssh/ssh_host_key.pub (RSA1)

 

On newer versions you will need to do it like this:

ssh-keygen -l -f /etc/ssh/ssh_host_key.pub -E md5


Tags:

ssh, verify, mim, attacksssh, fingerprint, connecting, server, ve, warns, doesn, existing, calculate, sha, hash, hacking, authenticity, established, rsa, alalalalleieieieieiala, md, fingerprinthash, user, aa, sldka, ksdkjd, kala, kfdkls, keygen, etc, ssh_host_key, pub, newer, versions,

Latest Articles

  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist
  • How to Install Any OS on a Physical Drive from Windows Using VMware Workstation (Linux, Windows, BSD)
  • CDN Cloudflare how to set and preserve the real IP of the client without modifying application code on Apache
  • CentOS 7 fix Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was 14: curl#6 -
  • Ubuntu Debian How To Install Recommended Packages Automatically
  • How to set Linux Ubuntu Redhat Debian Command Line http https socks proxy for yum apt