0

When initiating a connection by SSH to a server not known in the hosts file, it's common to get a message such as the following:

The authenticity of host '[IP address]' can't be established. RSA key fingerprint is [checksum]. Are you sure you want to continue connecting (yes/no)?

Is there a way to request the server to present the whole public key instead of the fingerprint?

SauceCode
  • 628
  • 6
  • 16
  • Not what you asked, but [SSH certificates](https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu) are a great solution to this. – paj28 Nov 07 '16 at 21:22
  • Briefly, what problem would you say they solve? – SauceCode Nov 07 '16 at 21:30
  • 3
    Knowing whether the trust the server's key. You have a CA key (just for your organisation) that you sign all your server keys with. Then you install the CA public key on all your clients. They can then connect to any SSH server and automatically verify the key, just like when you connect to an https web site. – paj28 Nov 07 '16 at 21:31
  • No. There is no such option in OpenSSH. What problem *you* are trying to solve? The fingerprint is safe representation of the server host key which should be human-readable, unlike the key itself. – Jakuje Nov 07 '16 at 22:09

1 Answers1

4

You can use ssh-keyscan to get the information you want. It's primarily designed for gathering public keys over an initial trusted network connection and automatically adding them into the known_hosts file.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76