In order to ensure 1st connection to ssh server, you have to verify his public host key.
For this, each new connection to an unknown host will prompt fingerprint and visual ascii graphic corresponding to host's public keys.
To make this verification, there are many different ways
- Ask personely server's sysadmin for the fingerprint of the public host key (by phone, fax, meet or any trusted way)
- Ask a confident friend who already done previous job
- Go away but don't trust your connection until you could see physical proof you are on correct host (making a reverse connection from host, instant publication, etc).
From server side, when you install the SSH server, installation procedure implie host keys generation. At this point, all server keys are show with fingerprint and small ascii graphic you could check and compare.
This could be shown by the use of
ssh-keygen -lvf keyfile
Sample
mkdir /tmp/testsshkey && cd $_
ssh-keygen -b 1024 -f /tmp/testsshkey/key01
mv key01.pub other.pub
diff <(ssh-keygen -lvf key01) <(ssh-keygen -lvf other.pub )
1c1
< 1024 SHA256:7WuWSSOigkJ0UOPABdsrdkO3zYizPd3EfVpxb4XgeDk no comment (RSA)
---
> 1024 SHA256:7WuWSSOigkJ0UOPABdsrdkO3zYizPd3EfVpxb4XgeDk user@sondbox (RSA)
The only difference are in comments.