Shell/Fingerprints: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
imported>Burghardt |
imported>Burghardt |
||
| Zeile 1: | Zeile 1: | ||
| + | __NOTOC__ |
||
* Back to [[Shell]] |
* Back to [[Shell]] |
||
| − | While older ssh-versions relied on MD5 (Message Digest number five) for generating a fingerprint this is considered "unsafe" for some time now. The current implementation uses SHA256 by default. |
+ | While older ssh-versions relied on [[MD5]] (Message Digest number five) for generating a fingerprint this is considered "unsafe" for some time now. The current implementation uses [[SHA256]] by default. |
== Current fingerprints as of April 2017 == |
== Current fingerprints as of April 2017 == |
||
=== Older Servers === |
=== Older Servers === |
||
| − | Included in debian Jessie, Ubuntu Trusty and others. Used ''up until now'' in <tt>login</tt>, <tt>shell</tt> and all pool workstations: |
+ | Included in [[debian]] [[Jessie]], [[Ubuntu]] [[Trusty]] and others. Used ''up until now'' in <tt>login</tt>, <tt>shell</tt> and all pool workstations: |
<pre> |
<pre> |
||
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -f $F; done |
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -f $F; done |
||
| Zeile 23: | Zeile 24: | ||
=== Newer Servers === |
=== Newer Servers === |
||
| − | Included in debian Stretch, Ubuntu Xenial and others. ''Soon to be used'' in <tt>login</tt>, <tt>shell</tt> and all pool workstations: |
+ | Included in debian [[Stretch]], Ubuntu [[Xenial]] and others. ''Soon to be used'' in <tt>login</tt>, <tt>shell</tt> and all pool workstations: |
<pre> |
<pre> |
||
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -f $F; done |
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -f $F; done |
||
| Zeile 62: | Zeile 63: | ||
As a client you need to verify the actually used key/fingerprint to those documented above. Depending on old/new implementations the exact behavior and output might be different: |
As a client you need to verify the actually used key/fingerprint to those documented above. Depending on old/new implementations the exact behavior and output might be different: |
||
| − | === older client === |
+ | === Using an '''older''' client === |
| − | * old server |
+ | * connecting to an '''old''' server |
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de |
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de |
||
Host key fingerprint is 07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd |
Host key fingerprint is 07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd |
||
| − | * |
+ | * connecting to a '''newer''' server |
~$ ssh -o VisualHostKey=yes newerserverinstance.informatik.uni-goettingen |
~$ ssh -o VisualHostKey=yes newerserverinstance.informatik.uni-goettingen |
||
Host key fingerprint is 1a:04:8e:f5:7e:e6:44:6a:a8:1f:b7:f0:8c:40:f8:ff |
Host key fingerprint is 1a:04:8e:f5:7e:e6:44:6a:a8:1f:b7:f0:8c:40:f8:ff |
||
| − | === newer client === |
+ | === Using a '''newer''' client === |
| − | * old server |
+ | * connecting to an '''old''' server |
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de |
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de |
||
Host key fingerprint is SHA256:L+FCMj2bm8x/BfR8AdaaLnqTmFD35D0EYNlFG7a2dt8 |
Host key fingerprint is SHA256:L+FCMj2bm8x/BfR8AdaaLnqTmFD35D0EYNlFG7a2dt8 |
||
| − | * old server |
+ | * connecting to an '''old''' server |
~$ ssh -o VisualHostKey=yes -o fingerprinthash=md5 shell.informatik.uni-goettingen.de |
~$ ssh -o VisualHostKey=yes -o fingerprinthash=md5 shell.informatik.uni-goettingen.de |
||
Host key fingerprint is MD5:07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd |
Host key fingerprint is MD5:07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd |
||
| − | * |
+ | * connecting to a '''newer''' server |
~$ ssh -o VisualHostKey=yes localhost |
~$ ssh -o VisualHostKey=yes localhost |
||
Host key fingerprint is SHA256:IN1YJYjBWzm1irujENh5KVB6RxqXBGbvIT6WrGv++fw |
Host key fingerprint is SHA256:IN1YJYjBWzm1irujENh5KVB6RxqXBGbvIT6WrGv++fw |
||
| + | == See also == |
||
| − | |||
| − | * |
+ | * [[Shell]] |
Version vom 3. April 2017, 11:44 Uhr
- Back to Shell
While older ssh-versions relied on MD5 (Message Digest number five) for generating a fingerprint this is considered "unsafe" for some time now. The current implementation uses SHA256 by default.
Current fingerprints as of April 2017
Older Servers
Included in debian Jessie, Ubuntu Trusty and others. Used up until now in login, shell and all pool workstations:
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -f $F; done Description: Ubuntu 14.04.5 LTS /etc/ssh/ssh_host_ecdsa.pub: 256 07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd root@nfsadm (ECDSA) /etc/ssh/ssh_host_ed25519_key.pub: 256 93:11:29:c4:a2:03:e1:2d:b1:82:05:74:dd:a5:3b:9a root@nfsadm (ED25519) /etc/ssh/ssh_host_rsa_key.pub: 2048 de:db:6e:72:52:de:30:73:db:bb:6e:79:df:f9:2c:0d root@nfsadm (RSA)
Newer Servers
Included in debian Stretch, Ubuntu Xenial and others. Soon to be used in login, shell and all pool workstations:
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -f $F; done Description: Ubuntu 16.04.2 LTS /etc/ssh/ssh_host_dsa_key.pub: 1024 SHA256:OpBcTf2pc3p3oUXKZvJ2773TULj6lskxYI/INZvLes8 root@c043 (DSA) /etc/ssh/ssh_host_ecdsa_key.pub: 256 SHA256:IN1YJYjBWzm1irujENh5KVB6RxqXBGbvIT6WrGv++fw root@nfs (ECDSA) /etc/ssh/ssh_host_ed25519_key.pub: 256 SHA256:P/gxfKUFA/5Gf9v5GOGQhcV3TgNzt9wS+moCKFjlUpo root@c009 (ED25519) /etc/ssh/ssh_host_rsa_key.pub: 1024 SHA256:f7orU3tn+mVuMlv/CjnfJOF8dr4/VhPhZMtSirMIndQ root@c043 (RSA)
If you are using an old client you need to check the deprecated MD5 checksum:
~$ lsb_release -d; for F in /etc/ssh/*.pub ; do echo -e "\n$F:"; ssh-keygen -l -E MD5 -f $F; done Description: Ubuntu 16.04.2 LTS /etc/ssh/ssh_host_dsa_key.pub: 1024 MD5:c0:e6:ac:3f:62:4c:4e:dc:cc:68:66:45:83:f2:23:9a root@c043 (DSA) /etc/ssh/ssh_host_ecdsa_key.pub: 256 MD5:1a:04:8e:f5:7e:e6:44:6a:a8:1f:b7:f0:8c:40:f8:ff root@nfs (ECDSA) /etc/ssh/ssh_host_ed25519_key.pub: 256 MD5:c5:fb:87:6c:78:29:32:90:ea:3d:3c:0d:9b:2c:83:bd root@c009 (ED25519) /etc/ssh/ssh_host_rsa_key.pub: 1024 MD5:c6:82:13:00:60:c5:70:a7:60:6b:09:8d:c7:0b:b3:06 root@c043 (RSA)
Actually compare a fingerprint when establishing a session
As a client you need to verify the actually used key/fingerprint to those documented above. Depending on old/new implementations the exact behavior and output might be different:
Using an older client
- connecting to an old server
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de Host key fingerprint is 07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd
- connecting to a newer server
~$ ssh -o VisualHostKey=yes newerserverinstance.informatik.uni-goettingen Host key fingerprint is 1a:04:8e:f5:7e:e6:44:6a:a8:1f:b7:f0:8c:40:f8:ff
Using a newer client
- connecting to an old server
~$ ssh -o VisualHostKey=yes shell.informatik.uni-goettingen.de Host key fingerprint is SHA256:L+FCMj2bm8x/BfR8AdaaLnqTmFD35D0EYNlFG7a2dt8
- connecting to an old server
~$ ssh -o VisualHostKey=yes -o fingerprinthash=md5 shell.informatik.uni-goettingen.de Host key fingerprint is MD5:07:84:c9:e1:59:4f:03:75:69:b1:e4:d0:b4:1f:9a:cd
- connecting to a newer server
~$ ssh -o VisualHostKey=yes localhost Host key fingerprint is SHA256:IN1YJYjBWzm1irujENh5KVB6RxqXBGbvIT6WrGv++fw