YamSeng
asked on
SSH fingerprint and hostkey
How can I get the hostkey of SSH for connection to a particular host?
I am currently using public-key authentication and so I do not need to key in the password. But every first time i connect to a new host, it checks the ".ssh2/hostkeys" directory to see if the host keys are found. If it's not found, then it'll generate one on the fly.
Coz currently, I want to execute ssh non-interactively and this prompting of hostkey generating is stopping my script from running non-interactively. But this only happens the first time. After that no problem coz the hostkey is generated.
So is it possible for me to generate the hostkey with a hostname and port given, before I run the ssh command? Coz I understand that the hostkey filename has the hostname and port of the target host.
Thanks
Yam
I am currently using public-key authentication and so I do not need to key in the password. But every first time i connect to a new host, it checks the ".ssh2/hostkeys" directory to see if the host keys are found. If it's not found, then it'll generate one on the fly.
Coz currently, I want to execute ssh non-interactively and this prompting of hostkey generating is stopping my script from running non-interactively. But this only happens the first time. After that no problem coz the hostkey is generated.
So is it possible for me to generate the hostkey with a hostname and port given, before I run the ssh command? Coz I understand that the hostkey filename has the hostname and port of the target host.
Thanks
Yam
ASKER
ahoffmann, I tried your command, but realised that -l is not a valid option in my ssh-keygen.
I tried both ssh-keygen or ssh-keygen2....both give me the same results.
"illegal option -- l"
I tried both ssh-keygen or ssh-keygen2....both give me the same results.
"illegal option -- l"
which ssh dou you use? Probably somply check your man-pages.
-l works for all my OpenSSH (1.3, 2.3, 2.5, 2.9, 3.0, 3.2)
-l works for all my OpenSSH (1.3, 2.3, 2.5, 2.9, 3.0, 3.2)
ASKER
SSH Secure Shell 3.1.0 (non-commercial version) on i686-pc-linux-gnu.
ASKER
What exactly does -l do for your openssh? I've looked at the OpenSSH man page and it seems to me that it's quite similar to -F option in my ssh3.10.
Basically, the -F option in my version dumps the fingerprint of the public key. Hmm....I wonder is the fingerprint what I really needed? Does the generating of host-key file requires the fingerprint? I'm a little confused actually......
I've seen another website that mentioned about a command called "make-ssh-known-hosts". But I can't find this command on my linux box.
Basically, the -F option in my version dumps the fingerprint of the public key. Hmm....I wonder is the fingerprint what I really needed? Does the generating of host-key file requires the fingerprint? I'm a little confused actually......
I've seen another website that mentioned about a command called "make-ssh-known-hosts". But I can't find this command on my linux box.
ASKER
I have a feeling that the hostkey file is quite similar to the public key file on the target machine. But when I compare these 2 public key files, they are different.
from man ssh-keygen
...
-l Show fingerprint of specified private or public key file.
...
This is for all *my* OPenSSH versions. Where did you get a ssh-keygen with an -F option?
What does
ssh-keygen --help
print?
...
-l Show fingerprint of specified private or public key file.
...
This is for all *my* OPenSSH versions. Where did you get a ssh-keygen with an -F option?
What does
ssh-keygen --help
print?
ASKER
Mine is not OpenSSH.
This is the output of ssh-keygen --help.
Usage: ssh-keygen [options] [key1 key2 ...]
Where `options' are:
-b nnn Specify key strength in bits (e.g. 1024)
-t dsa | rsa Choose the key type.
-c comment Provide the comment.
-e file Edit the comment/passphrase of the key.
-p passphrase Provide passphrase.
-P Assume empty passphrase.
-?
-h Print this help text.
-q Suppress the progress indicator.
-1 Convert a SSH 1.x key.
-i file Load and display information on `file'.
-D file Derive the public key from the private key 'file'.
-B number The number base for displaying key information (default 10).
-V Print ssh-keygen version number.
-r file Stir data from file to random pool.
-F file Dump fingerprint of file.
This is the output of ssh-keygen --help.
Usage: ssh-keygen [options] [key1 key2 ...]
Where `options' are:
-b nnn Specify key strength in bits (e.g. 1024)
-t dsa | rsa Choose the key type.
-c comment Provide the comment.
-e file Edit the comment/passphrase of the key.
-p passphrase Provide passphrase.
-P Assume empty passphrase.
-?
-h Print this help text.
-q Suppress the progress indicator.
-1 Convert a SSH 1.x key.
-i file Load and display information on `file'.
-D file Derive the public key from the private key 'file'.
-B number The number base for displaying key information (default 10).
-V Print ssh-keygen version number.
-r file Stir data from file to random pool.
-F file Dump fingerprint of file.
ASKER
Infact I thought -F option will be able to give me what I want. But it's just a one line of output which is different from what is contained in the hostkeys file.
> .. I've looked at the OpenSSH man page ..
and
> ..Mine is not OpenSSH.
You need yourself to make absolutely shure about what you're using/talking. Otherwise any comment/suggestion here is useless.
About the fingerprint: it's a one-liner like:
1024 50:91:f0:ff:82:95:f4:f3:38 :4d:ff:57: d5:fb:ee:2 b user@some.where
that's all. This is completely different to the file itself, of cause, its a fingerprint **and not** the file !
and
> ..Mine is not OpenSSH.
You need yourself to make absolutely shure about what you're using/talking. Otherwise any comment/suggestion here is useless.
About the fingerprint: it's a one-liner like:
1024 50:91:f0:ff:82:95:f4:f3:38
that's all. This is completely different to the file itself, of cause, its a fingerprint **and not** the file !
ASKER
>>You need yourself to make absolutely shure about what >>you're using/talking. Otherwise any comment/suggestion
>>here is useless.
I did mentioned that my version of SSH is not OpenSSH. And I have copied the output of the ssh -V command exactly. SSH V3.10.
I thought an OpenSSH version would be something like this
OpenSSH Vx.xx
I also did the ssh-keygen --help as you requested.
I also mentioned I want to get the hostkey file in my question proper.
>>How can I get the hostkey of SSH for connection to a >>particular host?
>>here is useless.
I did mentioned that my version of SSH is not OpenSSH. And I have copied the output of the ssh -V command exactly. SSH V3.10.
I thought an OpenSSH version would be something like this
OpenSSH Vx.xx
I also did the ssh-keygen --help as you requested.
I also mentioned I want to get the hostkey file in my question proper.
>>How can I get the hostkey of SSH for connection to a >>particular host?
oops, didn't read your sentence about ssh man-page completly careful, sorry.
You're right that ssh -V reports OpenSSH since 2.x, but not before, unfortunately.
So then you don't use OpenSSH, you have to use -F. Does this produce a string as I posted in my example?
>>>How can I get the hostkey of SSH for connection to a >>particular host?
You don't need, ssh does it on the fly.
You're right that ssh -V reports OpenSSH since 2.x, but not before, unfortunately.
So then you don't use OpenSSH, you have to use -F. Does this produce a string as I posted in my example?
>>>How can I get the hostkey of SSH for connection to a >>particular host?
You don't need, ssh does it on the fly.
ASKER
Yes, it produces a 1 line string. But what I want is to generate the file in advance so that it doesn't prompt me when I connect to the host/port with ssh.
I thought this hostkey is somewhat associated with the fingerprint coz whenever I connect first time to a host/port it prompts the generating of the hostkey file and also advises that the fingerprint could be generated with the -F option.
>>Coz currently, I want to execute ssh
>>non-interactively and this prompting of
>>hostkey generating is stopping
>>my script from running non-interactively.
>>But this only happens the first time. After
>> that no problem coz the hostkey is generated.
>>So is it possible for me to generate
>>the hostkey with a hostname and port given,
>> before I run the ssh command? Coz I
>> understand that the hostkey filename has
>> the hostname and port of the target host.
I thought this hostkey is somewhat associated with the fingerprint coz whenever I connect first time to a host/port it prompts the generating of the hostkey file and also advises that the fingerprint could be generated with the -F option.
>>Coz currently, I want to execute ssh
>>non-interactively and this prompting of
>>hostkey generating is stopping
>>my script from running non-interactively.
>>But this only happens the first time. After
>> that no problem coz the hostkey is generated.
>>So is it possible for me to generate
>>the hostkey with a hostname and port given,
>> before I run the ssh command? Coz I
>> understand that the hostkey filename has
>> the hostname and port of the target host.
add the ssh_host_key.pub from the server to your known_hosts file
ASKER
Do you mean that I should copy the public key over and rename it as a known_host file? But when I open up the public keys, they seems to be different.
ie, when at the client side, it says it'll generate a hostkey file. When I open this hostkey file, it seems that the public key in the hostkey file is different from the actual public key at the server's side.
ie, when at the client side, it says it'll generate a hostkey file. When I open this hostkey file, it seems that the public key in the hostkey file is different from the actual public key at the server's side.
do you misunderstand SSH?
Let me explain:
the server (sshd) needs and generates a key pair, where the public key (ssh_host_key.pub) is stored in the client's known_hosts file
the client (ssh) generates a key pair where the public key is stored in the autorized_keys file of the user (who generated this key) on another host
Let me explain:
the server (sshd) needs and generates a key pair, where the public key (ssh_host_key.pub) is stored in the client's known_hosts file
the client (ssh) generates a key pair where the public key is stored in the autorized_keys file of the user (who generated this key) on another host
ASKER
so is that right to say that I cannot generate this known_host file myself?
That means the only way is still to run ssh first time, get it to prompt me, then allow it to generate a hostkey file?
That means the only way is still to run ssh first time, get it to prompt me, then allow it to generate a hostkey file?
> so is that right to say that I cannot generate this known_host file myself?
Of corse not! If anybody generates host keys as (s)he likes, host keys would be obsolete.
Or can you make your own passport and use it to travell across boarders?
Of corse not! If anybody generates host keys as (s)he likes, host keys would be obsolete.
Or can you make your own passport and use it to travell across boarders?
ASKER
Ok thanks ahoffmann.
So how is the fingerprint useful? I don't seems to be able to see any use with getting the fingerprint, although when the hostkey file is generated, it did prompt that I can get the fingerprint by blah.......
So how is the fingerprint useful? I don't seems to be able to see any use with getting the fingerprint, although when the hostkey file is generated, it did prompt that I can get the fingerprint by blah.......
with the fingerprint you can verify the public key, just compare it to the result of
ssh-keygen -l -f ~/.ssh/known_hosts
And to be absolutely shure, get a phone call tho the admin of the remote host and ask her/him for the fingerprint. Should be easy to compare 16 bytes, while it would be difficult to compare the public key with roughly 240 bytes ;-)
ssh-keygen -l -f ~/.ssh/known_hosts
And to be absolutely shure, get a phone call tho the admin of the remote host and ask her/him for the fingerprint. Should be easy to compare 16 bytes, while it would be difficult to compare the public key with roughly 240 bytes ;-)
ASKER
Will there also be any programs that I can use that will help me to
1) Run ssh <host><port>
2) enter "yes" (to the question of generating a new host key)
3) exit.
So that I can automate this without interactivity?
1) Run ssh <host><port>
2) enter "yes" (to the question of generating a new host key)
3) exit.
So that I can automate this without interactivity?
ASKER
ahoffman, would you want me to settle this question first? grade you. Then open a new question in this topic area again for the above question?
Or I can just double the points when you answered here?
Or I can just double the points when you answered here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok. I'll grade you for this one first and post another question for expect program......thanks
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
Keep in mind that the fingerprint *have to be* transmitted on a non-compromisable way (like phone to the admin), 'cause ssh relies on these keys the fingerprint is the simple proof for a valid key.
ssh therefore does not provide a way to fetsch such fingerprints remotely from a ssh-server, for obvious reason.