Shell/Fingerprints: Unterschied zwischen den Versionen

Aus Doc-Wiki
Zur Navigation springen Zur Suche springen
imported>Burghardt
imported>Burghardt
Zeile 41: Zeile 41:
 
</pre>
 
</pre>
   
  +
If you are using an old client you need to check the deprecated MD5 checksum:
Force display of MD5 checksum:
 
 
<pre>
 
<pre>
 
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -E MD5 -f $F; done
 
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -E MD5 -f $F; done

Version vom 3. April 2017, 09:28 Uhr


While older ssh-versions relied on MD5 (Message Digest number five) for generating a fingerprint this is considered "unsafe" for some time now. The current implementation uses SHA256 by default.

Current fingerprints as of April 2017

Older Servers

Included in debian Jessie, Ubuntu Trusty and others. Used up until now in login, shell and all pool workstations:

~$ lsb_release  -d; for F in /etc/ssh/*.pub ; do  echo -e "\n$F:"; ssh-keygen -l -f $F; done
Description:	Ubuntu 14.04.5 LTS

/etc/ssh/ssh_host_ecdsa.pub:
256 07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd  root@nfsadm (ECDSA)

/etc/ssh/ssh_host_ed25519_key.pub:
256 93:11:29:c4:a2:03:e1:2d:b1:82:05:74:dd:a5:3b:9a  root@nfsadm (ED25519)

/etc/ssh/ssh_host_rsa_key.pub:
2048 de:db:6e:72:52:de:30:73:db:bb:6e:79:df:f9:2c:0d  root@nfsadm (RSA)

Newer Servers

Included in debian Stretch, Ubuntu Xenial and others. 'Soon to be used in login, shell and all pool workstations:

~$ lsb_release  -d; for F in /etc/ssh/*.pub ; do  echo -e "\n$F:"; ssh-keygen -l -f $F; done
Description:	Ubuntu 16.04.2 LTS

/etc/ssh/ssh_host_dsa_key.pub:
1024 SHA256:OpBcTf2pc3p3oUXKZvJ2773TULj6lskxYI/INZvLes8 root@c043 (DSA)

/etc/ssh/ssh_host_ecdsa_key.pub:
256 SHA256:IN1YJYjBWzm1irujENh5KVB6RxqXBGbvIT6WrGv++fw root@nfs (ECDSA)

/etc/ssh/ssh_host_ed25519_key.pub:
256 SHA256:P/gxfKUFA/5Gf9v5GOGQhcV3TgNzt9wS+moCKFjlUpo root@c009 (ED25519)

/etc/ssh/ssh_host_rsa_key.pub:
1024 SHA256:f7orU3tn+mVuMlv/CjnfJOF8dr4/VhPhZMtSirMIndQ root@c043 (RSA)

If you are using an old client you need to check the deprecated MD5 checksum:

~$ lsb_release  -d; for F in /etc/ssh/*.pub ; do  echo -e "\n$F:"; ssh-keygen -l -E MD5 -f $F; done
Description:	Ubuntu 16.04.2 LTS

/etc/ssh/ssh_host_dsa_key.pub:
1024 MD5:c0:e6:ac:3f:62:4c:4e:dc:cc:68:66:45:83:f2:23:9a root@c043 (DSA)

/etc/ssh/ssh_host_ecdsa_key.pub:
256 MD5:1a:04:8e:f5:7e:e6:44:6a:a8:1f:b7:f0:8c:40:f8:ff root@nfs (ECDSA)

/etc/ssh/ssh_host_ed25519_key.pub:
256 MD5:c5:fb:87:6c:78:29:32:90:ea:3d:3c:0d:9b:2c:83:bd root@c009 (ED25519)

/etc/ssh/ssh_host_rsa_key.pub:
1024 MD5:c6:82:13:00:60:c5:70:a7:60:6b:09:8d:c7:0b:b3:06 root@c043 (RSA)

Actually compare a fingerprint when establishing a session

As a client you need to verify the actually used key/fingerprint to those documented above. Depending on old/new implementations the exact behavior and output might be different:

older client

  • old server
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de
Host key fingerprint is 07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd
  • new server
~$ ssh -o VisualHostKey=yes newerserverinstance.informatik.uni-goettingen
Host key fingerprint is 1a:04:8e:f5:7e:e6:44:6a:a8:1f:b7:f0:8c:40:f8:ff


newer client

  • old server
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de
Host key fingerprint is SHA256:L+FCMj2bm8x/BfR8AdaaLnqTmFD35D0EYNlFG7a2dt8
  • old server
~$ ssh -o VisualHostKey=yes -o fingerprinthash=md5 shell.informatik.uni-goettingen.de
Host key fingerprint is MD5:07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd
  • new server
~$ ssh -o VisualHostKey=yes localhost 
Host key fingerprint is SHA256:IN1YJYjBWzm1irujENh5KVB6RxqXBGbvIT6WrGv++fw