ssh how to verify your host key / avoid MIM attacks

SSH helps keep us secure in many ways, one of those is the host-key fingerprint which is unique.  If you have been connecting to an SSH server that you've made no changes to and suddenly ssh warns that the key doesn't match then you have a problem.

But how about connecting to an existing server for the first time on a new machine or client?

A lot of new clients calculate it using an SHA256 hash but it is not as easy on your host machine to produce the same style hash without some hacking around.

The authenticity of host 'somehow (172.16.5.2)' can't be established.
RSA key fingerprint is SHA256:alalalalleieieieieiala.
Are you sure you want to continue connecting (yes/no)?

If using ecdsa just do this:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

The key should match the SHA256 shown in your connection attempt.


 

So we can get the MD5 hash by using this option:

ssh -o fingerprinthash=md5 user@host
The authenticity of host 'somehow (172.16.5.2)' can't be established.
RSA key fingerprint is MD5:aa:sldka;:ksdkjd::kala:kfdkls:1.
Are you sure you want to continue connecting (yes/no)?

 

How do we get the md5 hash on our host?

ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
aa:sldka;:ksdkjd::kala:kfdkls:1 /etc/ssh/ssh_host_key.pub (RSA1)

 

On newer versions you will need to do it like this:

ssh-keygen -l -f /etc/ssh/ssh_host_key.pub -E md5


Tags:

ssh, verify, mim, attacksssh, fingerprint, connecting, server, ve, warns, doesn, existing, calculate, sha, hash, hacking, authenticity, established, rsa, alalalalleieieieieiala, md, fingerprinthash, user, aa, sldka, ksdkjd, kala, kfdkls, keygen, etc, ssh_host_key, pub, newer, versions,

Latest Articles

  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist