10th
SSH - How to find remote host fingerprint
With OpenSSH, ssh-keygen is the go-to utility for discovering RSA public key fingerprints, both local and remote, using the -l (lowercase L) switch, and either -f for local keys or -F for keys stored in your known_hosts file.
To find out a remote server’s known-good ssh key fingerprint, use the ssh-keygen command:
ssh-keygen -l -F <hostname>
Normally, ssh shows you the remote RSA key fingerprint when you first connect. But then you never see it again, because the key itself is stored in your .ssh/known_hosts file. Even when connecting in verbose mode, you don’t see it. Ssh compares the key it receives from the remote with the key in known_hosts, skipping the fingerprint step altogether.
So why would you want to see the fingerprint of a known key?
Well let’s say, for example, that you routinely ssh to cloud.example.com from your workstation. Then you get a netbook. The first time you ssh to cloud.example.com on the netbook, using wi-fi, the client shows you what looks like the wrong fingerprint. Is someone in the middle?
You can run ssh-keygen -l -F cloud.example.com on your workstation to see the key fingerprint for aws.example.com. According to the ssh-keygen manual, this looks up cloud.example.com in your known-hosts file, and then shows you the fingerprint of the matching entry:
ssh-keygen -l -F cloud.example.com
# Host cloud.example.com found: line 25 type RSA
2048 c4:63:f2:8b:ca:71:9b:e5:a7:2e:8a:de:49:ef:99:25 cloud.example.com (RSA)
Now you can compare with what the netbook sees, and either continue connecting or go raise hell with the wi-fi operator.
