faq_hostkey » Revisions »
Differences
This shows you the differences between the selected revisions of the page.
| faq_hostkey 2019-03-08 | faq_hostkey 2023-07-03 (current) | ||
| Line 3: | Line 3: | ||
| You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus [[ssh_verifying_the_host_key|being able to verify it]] is an integral part of securing an SSH connection. It prevents [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. | You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus [[ssh_verifying_the_host_key|being able to verify it]] is an integral part of securing an SSH connection. It prevents [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. | ||
| - | ===== Safely obtaining host key ===== | + | ===== [[obtaining]] Safely obtaining host key ===== |
| In the real world, most administrators do not provide the host key fingerprint. | In the real world, most administrators do not provide the host key fingerprint. | ||
| Line 19: | Line 19: | ||
| If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the //Import cached host keys for checked sites// option is checked when [[ui_import|importing the sessions]]. | If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the //Import cached host keys for checked sites// option is checked when [[ui_import|importing the sessions]]. | ||
| - | You can also have the fingerprint displayed in an %%SSH%% terminal using ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command (on *nix servers using OpenSSH server): | + | You can also have the fingerprint displayed in an %%SSH%% terminal using ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command (on *nix servers that use OpenSSH server). For example: |
| <code> | <code> | ||
| ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | ||
| - | ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key | ||
| - | ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key | ||
| </code> | </code> | ||
| - | Since OpenSSH 6.8, you have to add the ''-E md5'' switch to get the format needed for WinSCP. | + | To display all available host keys, you can use: |
| + | |||
| + | <code bash>for f in /etc/<nohilite>ssh</nohilite>/ssh_host_*_key; do ssh-keygen -l -f "$f"; done</code> | ||
| + | |||
| + | OpenSSH 6.8 and newer shows SHA-256 fingerprint by default. Older versions use MD5 fingerprint. | ||
| ===== Host key of your virtual server ===== | ===== Host key of your virtual server ===== | ||
| Line 43: | Line 45: | ||
| In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use ''-hostkey=*'' or ''[[library_sessionoptions#giveupsecurityandacceptanysshhostkey|SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey]]'' to blindly accept any host key. | In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use ''-hostkey=*'' or ''[[library_sessionoptions#giveupsecurityandacceptanysshhostkey|SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey]]'' to blindly accept any host key. | ||
| - | If you want to allow a user to manually verify the host key, use the ''[[library_session_scanfingerprint|Session.ScanFingerprint]]'' method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the ''SessionOptions.SshHostKeyFingerprint'' property. | + | If you want to allow a user to manually verify the host key, use the ''[[library_session_scanfingerprint|Session.ScanFingerprint]]'' method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the ''SessionOptions.SshHostKeyFingerprint'' property. For an example of an implementation see [[library_example_known_hosts|*]]. |