Solved

SSH fingerprint and hostkey

Posted on 2002-06-05
24
787 Views
Last Modified: 2008-02-01
How can I get the hostkey of SSH for connection to a particular host?

I am currently using public-key authentication and so I do not need to key in the password.  But every first time i connect to a new host, it checks the ".ssh2/hostkeys" directory to see if the host keys are found.  If it's not found, then it'll generate one on the fly.  

Coz currently, I want to execute ssh non-interactively and this prompting of hostkey generating is stopping my script from running non-interactively.  But this only happens the first time.  After that no problem coz the hostkey is generated.

So is it possible for me to generate the hostkey with a hostname and port given, before I run the ssh command?  Coz I understand that the hostkey filename has the hostname and port of the target host.

Thanks
Yam
0
Comment
Question by:YamSeng
  • 14
  • 10
24 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. get the hostkey ...
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub

Keep in mind that the fingerprint *have to be* transmitted on a non-compromisable way (like phone to the admin), 'cause ssh relies on these keys the fingerprint is the simple proof for a valid key.
ssh therefore does not provide a way to fetsch such fingerprints remotely from a ssh-server, for obvious reason.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
ahoffmann, I tried your command, but realised that -l is not a valid option in my ssh-keygen.

I tried both ssh-keygen or ssh-keygen2....both give me the same results.  

"illegal option -- l"
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
which ssh dou you use? Probably somply check your man-pages.
-l works for all my OpenSSH (1.3, 2.3, 2.5, 2.9, 3.0, 3.2)
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
SSH Secure Shell 3.1.0 (non-commercial version) on i686-pc-linux-gnu.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
What exactly does -l do for your openssh?  I've looked at the OpenSSH man page and it seems to me that it's quite similar to -F option in my ssh3.10.

Basically, the -F option in my version dumps the fingerprint of the public key.  Hmm....I wonder is the fingerprint what I really needed?  Does the generating of host-key file requires the fingerprint? I'm a little confused actually......

I've seen another website that mentioned about a command called "make-ssh-known-hosts". But I can't find this command on my linux box.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
I have a feeling that the hostkey file is quite similar to the public key file on the target machine. But when I compare these 2 public key files, they are different.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
from man ssh-keygen
...
   -l   Show fingerprint of specified private or public key file.
...

This is for all *my* OPenSSH versions. Where did you get a ssh-keygen with an -F option?
What does
   ssh-keygen --help
print?
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Mine is not OpenSSH.

This is the output of ssh-keygen --help.

Usage: ssh-keygen [options] [key1 key2 ...]

Where `options' are:
 -b nnn         Specify key strength in bits (e.g. 1024)
 -t dsa | rsa   Choose the key type.
 -c comment     Provide the comment.
 -e file        Edit the comment/passphrase of the key.
 -p passphrase  Provide passphrase.
 -P             Assume empty passphrase.
 -?
 -h             Print this help text.
 -q             Suppress the progress indicator.
 -1             Convert a SSH 1.x key.
 -i file        Load and display information on `file'.
 -D file        Derive the public key from the private key 'file'.
 -B number      The number base for displaying key information (default 10).
 -V             Print ssh-keygen version number.
 -r file        Stir data from file to random pool.
 -F file        Dump fingerprint of file.  
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Infact I thought -F option will be able to give me what I want.  But it's just a one line of output which is different from what is contained in the hostkeys file.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. I've looked at the OpenSSH man page ..
and
> ..Mine is not OpenSSH.
You need yourself to make absolutely shure about what you're using/talking. Otherwise any comment/suggestion here is useless.


About the fingerprint: it's a one-liner like:

1024 50:91:f0:ff:82:95:f4:f3:38:4d:ff:57:d5:fb:ee:2b user@some.where

that's all. This is completely different to the file itself, of cause, its a fingerprint **and not** the file !
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
>>You need yourself to make absolutely shure about what >>you're using/talking. Otherwise any comment/suggestion
>>here is useless.
I did mentioned that my version of SSH is not OpenSSH. And I have copied the output of the ssh -V command exactly.  SSH V3.10.

I thought an OpenSSH version would be something like this
OpenSSH Vx.xx

I also did the ssh-keygen --help as you requested.

I also mentioned I want to get the hostkey file in my question proper.
>>How can I get the hostkey of SSH for connection to a >>particular host?


0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
oops, didn't read your sentence about ssh man-page completly careful, sorry.
You're right that ssh -V reports OpenSSH since 2.x, but not before, unfortunately.

So then you don't use OpenSSH, you have to use -F. Does this produce a string as I posted in my example?

>>>How can I get the hostkey of SSH for connection to a >>particular host?
You don't need, ssh does it on the fly.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Yes, it produces a 1 line string.  But what I want is to generate the file in advance so that it doesn't prompt me when I connect to the host/port with ssh.

I thought this hostkey is somewhat associated with the fingerprint coz whenever I connect first time to a host/port it prompts the generating of the hostkey file and also advises that the fingerprint could be generated with the -F option.

>>Coz currently, I want to execute ssh
>>non-interactively and this prompting of
>>hostkey generating is stopping
>>my script from running non-interactively.
>>But this only happens the first time.  After
>> that no problem coz the hostkey is generated.

>>So is it possible for me to generate
>>the hostkey with a hostname and port given,
>> before I run the ssh command?  Coz I
>> understand that the hostkey filename has
>> the hostname and port of the target host.



0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
add the ssh_host_key.pub from the server to your known_hosts file
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Do you mean that I should copy the public key over and rename it as a known_host file?  But when I open up the public keys, they seems to be different.

ie, when at the client side, it says it'll generate a hostkey file. When I open this hostkey file, it seems that the public key in the hostkey file is different from the actual public key at the server's side.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
do you misunderstand SSH?
Let me explain:
  the server (sshd) needs and generates a key pair, where the public key (ssh_host_key.pub) is stored in the client's known_hosts file
  the client (ssh) generates a key pair where the public key is stored in the autorized_keys file of the user (who generated this key) on another host
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
so is that right to say that I cannot generate this known_host file myself?

That means the only way is still to run ssh first time, get it to prompt me, then allow it to generate a hostkey file?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> so is that right to say that I cannot generate this known_host file myself?
Of corse not! If anybody generates host keys as (s)he likes, host keys would be obsolete.
Or can you make your own passport and use it to travell across boarders?
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Ok thanks ahoffmann.

So how is the fingerprint useful?  I don't seems to be able to see any use with getting the fingerprint, although when the hostkey file is generated, it did prompt that I can get the fingerprint by blah.......
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
with the fingerprint you can verify the public key, just compare it to the result of
  ssh-keygen -l -f ~/.ssh/known_hosts

And to be absolutely shure, get a phone call tho the admin of the remote host and ask her/him for the fingerprint. Should be easy to compare 16 bytes, while it would be difficult to compare the public key with roughly 240 bytes ;-)
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Will there also be any programs that I can use that will help me to

1) Run ssh <host><port>
2) enter "yes" (to the question of generating a new host key)
3) exit.

So that I can automate this without interactivity?
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
ahoffman, would you want me to settle this question first?  grade you.  Then open a new question in this topic area again for the above question?

Or I can just double the points when you answered here?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
Comment Utility
1) 2) 3) yes: expect

Yes I also have the feeling that this question got an detailed answer.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
ok.  I'll grade you for this one first and post another question for expect program......thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now