The first time a client makes a connection to a server, SSH is vulnerable to spoofing, as it does not have a record of the other systems' key. In this situation, SSH will prompt the user before continuing with the connection and will display to the user the "fingerprint" of the remote systems key, to give the user a chance to make a manual comparison. If the fingerprint from the connection matches the fingerprint that is known to be good, go ahead and allow the connection to continue. If not, terminate the connection immediiately. If the fingerprint is accepted, the server's key will be stored locally by the client and the question will normally not be asked again.

An example of an SSH connection to a machine never contacted before:
The authenticity of host 'michelob (128.252.19.8)' can't be established.
DSA key fingerprint is 7d:a6:9e:39:19:aa:36:89:78:a1:31:4e:74:4a:4f:23.
Are you sure you want to continue connecting (yes/no)?

If the fingerprint from the connection doesn't match the fingerprint that is known to be good, there is a chance that a "man-in-the-middle" attack is being attempted. Of course, there is a greater chance that this web page is out of date due to some future change in SLUUG servers. The key that is used, and thus the fingerprint, will depend on the SSH protocol that is used.

All keys are 1024 bits in length.

Many systems have alternate domain names, such as www.sluug.org, users.sluug.org, or mail.sluug.org. If you use one of the alternate names for a system, you might need to match up the fingerprint by IP address instead of name.

Even though a server is listed here, that doesn't mean it is available for your use. Systems might be only for testing, administration, or other activities not for the general user.