Link to home
Start Free TrialLog in
Avatar of YamSeng
YamSeng

asked on

SSH fingerprint and hostkey

How can I get the hostkey of SSH for connection to a particular host?

I am currently using public-key authentication and so I do not need to key in the password.  But every first time i connect to a new host, it checks the ".ssh2/hostkeys" directory to see if the host keys are found.  If it's not found, then it'll generate one on the fly.  

Coz currently, I want to execute ssh non-interactively and this prompting of hostkey generating is stopping my script from running non-interactively.  But this only happens the first time.  After that no problem coz the hostkey is generated.

So is it possible for me to generate the hostkey with a hostname and port given, before I run the ssh command?  Coz I understand that the hostkey filename has the hostname and port of the target host.

Thanks
Yam
Avatar of ahoffmann
ahoffmann
Flag of Germany image

> .. get the hostkey ...
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub

Keep in mind that the fingerprint *have to be* transmitted on a non-compromisable way (like phone to the admin), 'cause ssh relies on these keys the fingerprint is the simple proof for a valid key.
ssh therefore does not provide a way to fetsch such fingerprints remotely from a ssh-server, for obvious reason.
Avatar of YamSeng
YamSeng

ASKER

ahoffmann, I tried your command, but realised that -l is not a valid option in my ssh-keygen.

I tried both ssh-keygen or ssh-keygen2....both give me the same results.  

"illegal option -- l"
which ssh dou you use? Probably somply check your man-pages.
-l works for all my OpenSSH (1.3, 2.3, 2.5, 2.9, 3.0, 3.2)
Avatar of YamSeng

ASKER

SSH Secure Shell 3.1.0 (non-commercial version) on i686-pc-linux-gnu.
Avatar of YamSeng

ASKER

What exactly does -l do for your openssh?  I've looked at the OpenSSH man page and it seems to me that it's quite similar to -F option in my ssh3.10.

Basically, the -F option in my version dumps the fingerprint of the public key.  Hmm....I wonder is the fingerprint what I really needed?  Does the generating of host-key file requires the fingerprint? I'm a little confused actually......

I've seen another website that mentioned about a command called "make-ssh-known-hosts". But I can't find this command on my linux box.
Avatar of YamSeng

ASKER

I have a feeling that the hostkey file is quite similar to the public key file on the target machine. But when I compare these 2 public key files, they are different.
from man ssh-keygen
...
   -l   Show fingerprint of specified private or public key file.
...

This is for all *my* OPenSSH versions. Where did you get a ssh-keygen with an -F option?
What does
   ssh-keygen --help
print?
Avatar of YamSeng

ASKER

Mine is not OpenSSH.

This is the output of ssh-keygen --help.

Usage: ssh-keygen [options] [key1 key2 ...]

Where `options' are:
 -b nnn         Specify key strength in bits (e.g. 1024)
 -t dsa | rsa   Choose the key type.
 -c comment     Provide the comment.
 -e file        Edit the comment/passphrase of the key.
 -p passphrase  Provide passphrase.
 -P             Assume empty passphrase.
 -?
 -h             Print this help text.
 -q             Suppress the progress indicator.
 -1             Convert a SSH 1.x key.
 -i file        Load and display information on `file'.
 -D file        Derive the public key from the private key 'file'.
 -B number      The number base for displaying key information (default 10).
 -V             Print ssh-keygen version number.
 -r file        Stir data from file to random pool.
 -F file        Dump fingerprint of file.  
Avatar of YamSeng

ASKER

Infact I thought -F option will be able to give me what I want.  But it's just a one line of output which is different from what is contained in the hostkeys file.
> .. I've looked at the OpenSSH man page ..
and
> ..Mine is not OpenSSH.
You need yourself to make absolutely shure about what you're using/talking. Otherwise any comment/suggestion here is useless.


About the fingerprint: it's a one-liner like:

1024 50:91:f0:ff:82:95:f4:f3:38:4d:ff:57:d5:fb:ee:2b user@some.where

that's all. This is completely different to the file itself, of cause, its a fingerprint **and not** the file !
Avatar of YamSeng

ASKER

>>You need yourself to make absolutely shure about what >>you're using/talking. Otherwise any comment/suggestion
>>here is useless.
I did mentioned that my version of SSH is not OpenSSH. And I have copied the output of the ssh -V command exactly.  SSH V3.10.

I thought an OpenSSH version would be something like this
OpenSSH Vx.xx

I also did the ssh-keygen --help as you requested.

I also mentioned I want to get the hostkey file in my question proper.
>>How can I get the hostkey of SSH for connection to a >>particular host?


oops, didn't read your sentence about ssh man-page completly careful, sorry.
You're right that ssh -V reports OpenSSH since 2.x, but not before, unfortunately.

So then you don't use OpenSSH, you have to use -F. Does this produce a string as I posted in my example?

>>>How can I get the hostkey of SSH for connection to a >>particular host?
You don't need, ssh does it on the fly.
Avatar of YamSeng

ASKER

Yes, it produces a 1 line string.  But what I want is to generate the file in advance so that it doesn't prompt me when I connect to the host/port with ssh.

I thought this hostkey is somewhat associated with the fingerprint coz whenever I connect first time to a host/port it prompts the generating of the hostkey file and also advises that the fingerprint could be generated with the -F option.

>>Coz currently, I want to execute ssh
>>non-interactively and this prompting of
>>hostkey generating is stopping
>>my script from running non-interactively.
>>But this only happens the first time.  After
>> that no problem coz the hostkey is generated.

>>So is it possible for me to generate
>>the hostkey with a hostname and port given,
>> before I run the ssh command?  Coz I
>> understand that the hostkey filename has
>> the hostname and port of the target host.



add the ssh_host_key.pub from the server to your known_hosts file
Avatar of YamSeng

ASKER

Do you mean that I should copy the public key over and rename it as a known_host file?  But when I open up the public keys, they seems to be different.

ie, when at the client side, it says it'll generate a hostkey file. When I open this hostkey file, it seems that the public key in the hostkey file is different from the actual public key at the server's side.
do you misunderstand SSH?
Let me explain:
  the server (sshd) needs and generates a key pair, where the public key (ssh_host_key.pub) is stored in the client's known_hosts file
  the client (ssh) generates a key pair where the public key is stored in the autorized_keys file of the user (who generated this key) on another host
Avatar of YamSeng

ASKER

so is that right to say that I cannot generate this known_host file myself?

That means the only way is still to run ssh first time, get it to prompt me, then allow it to generate a hostkey file?
> so is that right to say that I cannot generate this known_host file myself?
Of corse not! If anybody generates host keys as (s)he likes, host keys would be obsolete.
Or can you make your own passport and use it to travell across boarders?
Avatar of YamSeng

ASKER

Ok thanks ahoffmann.

So how is the fingerprint useful?  I don't seems to be able to see any use with getting the fingerprint, although when the hostkey file is generated, it did prompt that I can get the fingerprint by blah.......
with the fingerprint you can verify the public key, just compare it to the result of
  ssh-keygen -l -f ~/.ssh/known_hosts

And to be absolutely shure, get a phone call tho the admin of the remote host and ask her/him for the fingerprint. Should be easy to compare 16 bytes, while it would be difficult to compare the public key with roughly 240 bytes ;-)
Avatar of YamSeng

ASKER

Will there also be any programs that I can use that will help me to

1) Run ssh <host><port>
2) enter "yes" (to the question of generating a new host key)
3) exit.

So that I can automate this without interactivity?
Avatar of YamSeng

ASKER

ahoffman, would you want me to settle this question first?  grade you.  Then open a new question in this topic area again for the above question?

Or I can just double the points when you answered here?
ASKER CERTIFIED SOLUTION
Avatar of ahoffmann
ahoffmann
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of YamSeng

ASKER

ok.  I'll grade you for this one first and post another question for expect program......thanks