faq_hostkey » Revisions »
Differences
This shows you the differences between the selected revisions of the page.
| faq_hostkey 2018-06-02 | faq_hostkey 2024-09-10 (current) | ||
| Line 3: | Line 3: | ||
| You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus [[ssh_verifying_the_host_key|being able to verify it]] is an integral part of securing an SSH connection. It prevents [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. | You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus [[ssh_verifying_the_host_key|being able to verify it]] is an integral part of securing an SSH connection. It prevents [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. | ||
| - | ''Code Text''===== Safely obtaining host key ===== | + | ===== [[obtaining]] Safely obtaining host key ===== |
| In the real world, most administrators do not provide the host key fingerprint. | In the real world, most administrators do not provide the host key fingerprint. | ||
| - | |||
| - | Fuck this stupid shit documentation. | ||
| Instead you can ask anyone else who has a physical access to the server or who already knows the host key. The host key is only one and hence the same for all users. Also note that the host key fingerprint is generated from a public key part of the host key only. So it is not secret and can be safely sent over unencrypted (yet trusted) communication channels. | Instead you can ask anyone else who has a physical access to the server or who already knows the host key. The host key is only one and hence the same for all users. Also note that the host key fingerprint is generated from a public key part of the host key only. So it is not secret and can be safely sent over unencrypted (yet trusted) communication channels. | ||
| Line 21: | Line 19: | ||
| If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the //Import cached host keys for checked sites// option is checked when [[ui_import|importing the sessions]]. | If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the //Import cached host keys for checked sites// option is checked when [[ui_import|importing the sessions]]. | ||
| - | You can also have the fingerprint displayed in an %%SSH%% terminal using ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command (on *nix servers using OpenSSH server): | + | You can also have the fingerprint displayed in an %%SSH%% terminal using ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command (on *nix servers that use OpenSSH server). For example: |
| - | <code> | + | <code bash> |
| - | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | + | ssh-keygen -l -f /etc/<nohilite>ssh</nohilite>/ssh_host_rsa_key |
| - | ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key | + | |
| - | ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key | + | |
| </code> | </code> | ||
| - | Since OpenSSH 6.8, you have to add the ''-E md5'' switch to get the format needed for WinSCP. | + | To display all available host keys, you can use: |
| + | |||
| + | <code bash>for f in /etc/<nohilite>ssh</nohilite>/ssh_host_*_key; do ssh-keygen -l -f "$f"; done</code> | ||
| + | |||
| + | OpenSSH 6.8 and newer shows SHA-256 fingerprint by default. Older versions use MD5 fingerprint. | ||
| ===== Host key of your virtual server ===== | ===== Host key of your virtual server ===== | ||
| Line 39: | Line 39: | ||
| When writing a [[scripting|WinSCP script]] or [[library|code using WinSCP .NET assembly]], use the same methods as described previously to obtain the host key. | When writing a [[scripting|WinSCP script]] or [[library|code using WinSCP .NET assembly]], use the same methods as described previously to obtain the host key. | ||
| - | In scripting specify the expected fingerprint using ''[[scriptcommand_open#hostkey|-hostkey]]'' switch of an ''[[scriptcommand_open|open]]'' command. With .NET assembly, use ''[[library_sessionoptions#sshhostkeyfingerprint|SessionOptions.SshHostKeyFingerprint]]'' property. | + | In scripting specify the expected fingerprint using ''[[scriptcommand_open#hostkey|-hostkey]]'' switch of an ''[[scriptcommand_open|open]]'' command. With .NET assembly, use ''[[library_sessionoptions#sshhostkeyfingerprint|SessionOptions.SshHostKeyFingerprint]]'' property. Use SHA-256 fingerprint of the host key. |
| If you already have verified the host key for your GUI session, go to a //[[ui_fsinfo|Server and Protocol Information Dialog]]// and see a //Server Host key Fingerprint// box. You can have [[ui_generateurl|WinSCP generate the script or code]] for you, including the ''-hostkey'' switch or ''SessionOptions.SshHostKeyFingerprint'' property. | If you already have verified the host key for your GUI session, go to a //[[ui_fsinfo|Server and Protocol Information Dialog]]// and see a //Server Host key Fingerprint// box. You can have [[ui_generateurl|WinSCP generate the script or code]] for you, including the ''-hostkey'' switch or ''SessionOptions.SshHostKeyFingerprint'' property. | ||
| Line 45: | Line 45: | ||
| In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use ''-hostkey=*'' or ''[[library_sessionoptions#giveupsecurityandacceptanysshhostkey|SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey]]'' to blindly accept any host key. | In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use ''-hostkey=*'' or ''[[library_sessionoptions#giveupsecurityandacceptanysshhostkey|SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey]]'' to blindly accept any host key. | ||
| - | If you want to allow a user to manually verify the host key, use the ''[[library_session_scanfingerprint|Session.ScanFingerprint]]'' method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the ''SessionOptions.SshHostKeyFingerprint'' property. | + | If you want to allow a user to manually verify the host key, use the ''[[library_session_scanfingerprint|Session.ScanFingerprint]]'' method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the ''SessionOptions.SshHostKeyFingerprint'' property. For an example of an implementation see [[library_example_known_hosts|*]]. |