Differences

This shows you the differences between the selected revisions of the page.

faq_hostkey 2017-09-12 faq_hostkey 2024-09-10 (current)
Line 3: Line 3:
You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus [[ssh_verifying_the_host_key|being able to verify it]] is an integral part of securing an SSH connection. It prevents [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus [[ssh_verifying_the_host_key|being able to verify it]] is an integral part of securing an SSH connection. It prevents [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]].
-===== Safely obtaining host key =====+===== [[obtaining]] Safely obtaining host key =====
In the real world, most administrators do not provide the host key fingerprint. In the real world, most administrators do not provide the host key fingerprint.
Line 19: Line 19:
If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the //Import cached host keys for checked sites// option is checked when [[ui_import|importing the sessions]]. If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the //Import cached host keys for checked sites// option is checked when [[ui_import|importing the sessions]].
-You can also have the fingerprint displayed in an %%SSH%% terminal using ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command (on *nix servers using OpenSSH server):+You can also have the fingerprint displayed in an %%SSH%% terminal using ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command (on *nix servers that use OpenSSH server). For example:
-<code> +<code bash
-ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key +ssh-keygen -l -f /etc/&lt;nohilite&gt;ssh&lt;/nohilite&gt;/ssh_host_rsa_key
-ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key +
-ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key+
</code> </code>
-Since OpenSSH 6.8, you have to add the ''-E md5'' switch to get the format needed for WinSCP.+To display all available host keys, you can use: 
 + 
 +<code bash>for f in /etc/<nohilite>ssh</nohilite>/ssh_host_*_key; do ssh-keygen -l -f "$f"; done</code> 
 + 
 +OpenSSH 6.8 and newer shows SHA-256 fingerprint by default. Older versions use MD5 fingerprint.
===== Host key of your virtual server ===== ===== Host key of your virtual server =====
Line 37: Line 39:
When writing a [[scripting|WinSCP script]] or [[library|code using WinSCP .NET assembly]], use the same methods as described previously to obtain the host key. When writing a [[scripting|WinSCP script]] or [[library|code using WinSCP .NET assembly]], use the same methods as described previously to obtain the host key.
-In scripting specify the expected fingerprint using ''[[scriptcommand_open#hostkey|-hostkey]]'' switch of an ''[[scriptcommand_open|open]]'' command. With .NET assembly, use ''[[library_sessionoptions#sshhostkeyfingerprint|SessionOptions.SshHostKeyFingerprint]]'' property.+In scripting specify the expected fingerprint using ''[[scriptcommand_open#hostkey|-hostkey]]'' switch of an ''[[scriptcommand_open|open]]'' command. With .NET assembly, use ''[[library_sessionoptions#sshhostkeyfingerprint|SessionOptions.SshHostKeyFingerprint]]'' property. Use SHA-256 fingerprint of the host key.
If you already have verified the host key for your GUI session, go to a //[[ui_fsinfo|Server and Protocol Information Dialog]]// and see a //Server Host key Fingerprint// box. You can have [[ui_generateurl|WinSCP generate the script or code]] for you, including the ''-hostkey'' switch or ''SessionOptions.SshHostKeyFingerprint'' property. If you already have verified the host key for your GUI session, go to a //[[ui_fsinfo|Server and Protocol Information Dialog]]// and see a //Server Host key Fingerprint// box. You can have [[ui_generateurl|WinSCP generate the script or code]] for you, including the ''-hostkey'' switch or ''SessionOptions.SshHostKeyFingerprint'' property.
Line 43: Line 45:
In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use ''-hostkey=*'' or ''[[library_sessionoptions#giveupsecurityandacceptanysshhostkey|SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey]]'' to blindly accept any host key. In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use ''-hostkey=*'' or ''[[library_sessionoptions#giveupsecurityandacceptanysshhostkey|SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey]]'' to blindly accept any host key.
-If you want to allow a user to manually verify the host key, use the ''[[library_session_scanfingerprint|Session.ScanFingerprint]]'' method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the ''SessionOptions.SshHostKeyFingerprint'' property.+If you want to allow a user to manually verify the host key, use the ''[[library_session_scanfingerprint|Session.ScanFingerprint]]'' method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the ''SessionOptions.SshHostKeyFingerprint'' property. For an example of an implementation see [[library_example_known_hosts|*]].

Last modified: by martin