St. Louis Unix Users Group St. Louis UNIX Users Group   Your forum for exchanging information about open standards,
open systems, open source, products, services and architectures
 

The first time a client makes a connection to a server, SSH is vulnerable to spoofing, as it does not have a record of the other systems' key. In this situation, SSH will prompt the user before continuing with the connection and will display to the user the "fingerprint" of the remote systems key, to give the user a chance to make a manual comparison. If the fingerprint from the connection matches the fingerprint that is known to be good, go ahead and allow the connection to continue. If not, terminate the connection immediiately. If the fingerprint is accepted, the server's key will be stored locally by the client and the question will normally not be asked again.

An example of an SSH connection to a machine never contacted before:
The authenticity of host 'michelob (128.252.19.8)' can't be established.
DSA key fingerprint is 7d:a6:9e:39:19:aa:36:89:78:a1:31:4e:74:4a:4f:23.
Are you sure you want to continue connecting (yes/no)?

If the fingerprint from the connection doesn't match the fingerprint that is known to be good, there is a chance that a "man-in-the-middle" attack is being attempted. Of course, there is a greater chance that this web page is out of date due to some future change in SLUUG servers. The key that is used, and thus the fingerprint, will depend on the SSH protocol that is used.

Host IP Address Protocol Key Fingerprint
michelob 128.252.19.8 SSH1/RSA 22:c0:28:88:a9:4a:fd:d4:0d:3d:42:c1:35:07:67:fc
michelob 128.252.19.8 SSH2/DSA 7d:a6:9e:39:19:aa:36:89:78:a1:31:4e:74:4a:4f:23
michelob 128.252.19.8 SSH2/RSA N/A
bud 206.196.99.162 SSH1/RSA N/A
bud 206.196.99.162 SSH2/DSA f9:f2:4a:40:47:ae:85:19:06:cf:0e:f1:73:7b:a6:88 (Changed 06/13/08)
bud 206.196.99.162 SSH2/RSA f8:45:c5:6e:12:9f:d7:2d:19:5f:c5:5c:93:6e:13:de (Changed 05/17/08)
budlight 206.196.99.163 SSH1/RSA N/A
budlight 206.196.99.163 SSH2/DSA 64:46:85:b4:b5:3b:6c:1a:54:28:d8:02:08:9a:54:97 (Changed 05/31/08)
budlight 206.196.99.163 SSH2/RSA fb:4a:06:e0:77:56:de:f7:4c:23:01:5d:c6:22:0e:b1 (Changed 05/31/08)
webdev 128.252.19.27 SSH1/RSA 38:e4:91:19:67:63:79:d7:ca:ed:9a:53:01:d6:66:b2
webdev 128.252.19.27 SSH2/DSA d7:29:fe:77:49:04:d5:d5:bc:3a:dc:9c:30:f2:e3:b1
webdev 128.252.19.27 SSH2/RSA 4d:4c:2d:20:b0:5a:a5:6d:7a:bd:58:c2:3a:f4:d1:dc

All keys are 1024 bits in length.

Many systems have alternate domain names, such as www.sluug.org, users.sluug.org, or mail.sluug.org. If you use one of the alternate names for a system, you might need to match up the fingerprint by IP address instead of name.

Even though a server is listed here, that doesn't mean it is available for your use. Systems might be only for testing, administration, or other activities not for the general user.

 
  Home | About Us | Resources | Members | Other Groups | Sponsors | Contacts 
Copyright ©  St. Louis UNIX Users Group  2003-2018 |  webmaster@sluug.org