Differences

This shows you the differences between the selected revisions of the page.

2018-01-09 2018-01-09
updating obsolete information about azure public address (martin) 5.12 Bug 1589 Use SHA-256 host key fingerprints (martin)
Line 15: Line 15:
  * Username: Use the username, that you created, when creating the virtual machine.   * Username: Use the username, that you created, when creating the virtual machine.
  * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]].   * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]].
-    * You can locate key fingerprint in server's initial start log, when host keys are generated.((Using ''cloud-init'' script.)) Go to the //Boot diagnostics// page, switch to //Serial log// tab and its and search for ''-----BEGIN %%SSH%% HOST KEY KEYS-----'': \\ <code>-----BEGIN SSH HOST KEY KEYS-----+    * You can locate key fingerprint in server's initial start log, when host keys are generated.((Using ''cloud-init'' script.)) Go to the //Boot diagnostics// page and switch to //Serial log// tab. Alternatively use ''[[https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/get-azurermvmbootdiagnosticsdata|Get-AzureRmVMBootDiagnosticsData]]'' command. 
 +    * //With the latest beta version of WinSCP (easier)//: &beta Search for ''-----BEGIN %%SSH%% HOST KEY FINGERPRINTS-----'': \\ <code>-----BEGIN SSH HOST KEY FINGERPRINTS----- 
 +1024 SHA256:dM0cbKRU1sxYVRTFW8P9/leLzuPndr7Z/fRpiIXBBT8 root@winscpubuntu (DSA) 
 +256 SHA256:eq62XW/s39mrDw8XMNfNsSRUjbK4VhqCRBQeE4tF2WA root@winscpubuntu (ECDSA) 
 +256 SHA256:J/9cttqvRWzmwc0Fyk26qIVsCuRo57phWj3xB3dGmLY root@winscpubuntu (ED25519) 
 +2048 SHA256:xd2ZT5TE/koVle4Gg8UoB2F4tA+SIL/06H98NXV2/+I root@winscpubuntu (RSA) 
 +-----END SSH HOST KEY FINGERPRINTS-----</code> Keep fingerprint for ''ED25519'' key.  
 +    * //With the latest stable version of WinSCP//: Search for ''-----BEGIN %%SSH%% HOST KEY KEYS-----'': \\ <code>-----BEGIN SSH HOST KEY KEYS-----
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOXBTK0rhHsOnu93hq/YsVBseEvu56WPkCwleBJb4QthaJ7j6Ih4O3dNJHkJ6xv8BxjeTNDoEnwOqJwHXbbmGWw= root@ubuntu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOXBTK0rhHsOnu93hq/YsVBseEvu56WPkCwleBJb4QthaJ7j6Ih4O3dNJHkJ6xv8BxjeTNDoEnwOqJwHXbbmGWw= root@ubuntu
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm root@ubuntu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm root@ubuntu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqn2SnEPSysG2n/v3lzSTH/7GwpwhxIyRfp0wYRDu1cIizjyiD7m8GQI2R2OqBGnole/s5c1BkP9/QOTtLGZQVta5kCT8t6Ph7soe7ST8Ee7ok45648zEeKqf4tGfyFTlSJOtNWEh9qAlx79pL7rxC6QphWqYNFDPuTjPigwGsVhznTWry8OJZnJuSQCM07UDP+995yrJLqjZxY6StOMELILamcYO6XdoQvF/a1byVTQnbKO6Mdt8V+J+RY8ibNeYdAjfO1dQuUZIHwf8HiS5nD1+IzeiEH4V6Hr7uDCR+1V6rRj93x/NvPgM6T99urb5Br+GYZ4wVkAsZOTg3OFTT root@ubuntu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqn2SnEPSysG2n/v3lzSTH/7GwpwhxIyRfp0wYRDu1cIizjyiD7m8GQI2R2OqBGnole/s5c1BkP9/QOTtLGZQVta5kCT8t6Ph7soe7ST8Ee7ok45648zEeKqf4tGfyFTlSJOtNWEh9qAlx79pL7rxC6QphWqYNFDPuTjPigwGsVhznTWry8OJZnJuSQCM07UDP+995yrJLqjZxY6StOMELILamcYO6XdoQvF/a1byVTQnbKO6Mdt8V+J+RY8ibNeYdAjfO1dQuUZIHwf8HiS5nD1+IzeiEH4V6Hr7uDCR+1V6rRj93x/NvPgM6T99urb5Br+GYZ4wVkAsZOTg3OFTT root@ubuntu
------END SSH HOST KEY KEYS-----</code> \\ Alternatively use ''[[https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/get-azurermvmbootdiagnosticsdata|Get-AzureRmVMBootDiagnosticsData]]'' command. \\ Look for Ed25519 key. The logged fingerprint of the key uses Base64-encoded SHA-256 hash of the key. While WinSCP uses hexadecimal-encoded MD5 hash of the key. To calculate the fingerprint in WinSCP format, execute this command in Windows PowerShell (after inserting the ''ssh-ed25519'' key): \\ <code powershell>Write-Host ([BitConverter]::ToString([Security.Cryptography.MD5]::Create().ComputeHash([Convert]::FromBase64String("AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm"))) -replace "-", ":").ToLower()</code>+-----END SSH HOST KEY KEYS-----</code> Look for ''ssh-ed25519'' key. The key is logged in Base64 encoding. To calculate MD5 fingerprint (the only format supported by the stable version of WinSCP), execute this command in Windows PowerShell (after inserting the ''ssh-ed25519'' key): \\ <code powershell>Write-Host ([BitConverter]::ToString([Security.Cryptography.MD5]::Create().ComputeHash([Convert]::FromBase64String("AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm"))) -replace "-", ":").ToLower()</code>
    * If you did not save the fingerprint on the first virtual machine, but you have another Azure virtual machine that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within a private Azure network keeps you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use the following commands to collect fingerprints: \\ <code>     * If you did not save the fingerprint on the first virtual machine, but you have another Azure virtual machine that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within a private Azure network keeps you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use the following commands to collect fingerprints: \\ <code>
$ ssh-keyscan <target_instance_private_ip> > azurekey $ ssh-keyscan <target_instance_private_ip> > azurekey
Line 26: Line 33:
256 MD5:e5:27:88:a8:bc:f0:64:bb:3a:e7:71:e6:4d:a1:40:ed <private_ip> (ECDSA) 256 MD5:e5:27:88:a8:bc:f0:64:bb:3a:e7:71:e6:4d:a1:40:ed <private_ip> (ECDSA)
256 MD5:cf:35:d4:78:43:48:26:bf:dc:96:f4:63:8e:ee:35:5b <private_ip> (ED25519) 256 MD5:cf:35:d4:78:43:48:26:bf:dc:96:f4:63:8e:ee:35:5b <private_ip> (ED25519)
-</code> +</code> With the latest beta version of WinSCP, you can remove the ''-E md5'' to display SHA-256 fingerprints. &beta
    * If you do not have another trusted instance, you can create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using its initial start log. Then collect keys of the target instance by connecting to it from the temporary instance. After that you can discard the temporary instance.     * If you do not have another trusted instance, you can create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using its initial start log. Then collect keys of the target instance by connecting to it from the temporary instance. After that you can discard the temporary instance.
  * When creating new virtual machine, consider setting up public key authentication by pasting your public key to //%%SSH%% public key// box of the //Configure basic settings// steps. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]].   * When creating new virtual machine, consider setting up public key authentication by pasting your public key to //%%SSH%% public key// box of the //Configure basic settings// steps. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]].

Last modified: by martin