Getting and Verifying SSH Fingerprints

Sometimes you may log into a machine, and find that the SSH key has changed. This can happen in a man-in-the-middle attack, but more likely the host has been rebuilt and new keys generated. (This is a good reason to save and restore the SSH keys during a rebuild.)

So how do you check the fingerprints?

You can do it over the network by pulling down the public keys from the remote server:

ssh-keyscan -p 22 -t rsa,dsa remote_host > /tmp/ssh_host_rsa_dsa_key.pub

(Replace remote_host with the appropriate name or IP address.) Then you generate fingerprints from this file:

ssh-keygen -l -f /tmp/ssh_host_rsa_dsa_key.pub

However, if you are investigating why your keys changed mysteriously, you don’t want to do this over the network. Log into the actual server through other means (such as a management console or a KVM console) and generate fingerprints directly:

ssh-keygen -lf /etc/ssh/ssh_host_dsa_key
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key

Then compare this with what you got over the network. If they match, you should be alright; if not, there are some serious problems.

If the fingerprints don’t match, you should do a network scan for ARP requests and see who is answering the ARP requests for the relevant IP address. Scan for ARP requests as you do a ping. If there are two hosts, then they will “fight” each other for an ARP entry, and you should see both responding.

Once you know the Ethernet address of the mysterious host, then chase it down by tracking where the ARP traffic is going by looking at router (or switch) interfaces.

About these ads

3 Responses to Getting and Verifying SSH Fingerprints

  1. Pingback: stick's corner » Getting SSH fingerprints for machines in your local network

  2. Pingback: stick's corner » Getting SSH fingerprints for machines in your network

  3. ddouthitt says:

    In stick’s corner, there is a comment that recommends MonkeySphere: a project that uses GPG for SSH key management. Worth checking into – MonkeySphere is in the Ubuntu repositories.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: