2

As I understand it, a host sends its public host key to the client to confirm it's the host the client intended to connect to. On initial login the host's public host key is added to the client's ~./ssh/known_hosts file or can pre-populated using ssh-keyscan.

This is fine for future logins, but how can I be sure that when I first login the host key is being sent from the host I intended to connect to and not one impersonating that host?

Many thanks.

tech-otaku
  • 21
  • 1

2 Answers2

1

In order to ensure 1st connection to ssh server, you have to verify his public host key.

For this, each new connection to an unknown host will prompt fingerprint and visual ascii graphic corresponding to host's public keys.

To make this verification, there are many different ways

  • Ask personely server's sysadmin for the fingerprint of the public host key (by phone, fax, meet or any trusted way)
  • Ask a confident friend who already done previous job
  • Go away but don't trust your connection until you could see physical proof you are on correct host (making a reverse connection from host, instant publication, etc).

From server side, when you install the SSH server, installation procedure implie host keys generation. At this point, all server keys are show with fingerprint and small ascii graphic you could check and compare.

This could be shown by the use of

ssh-keygen -lvf keyfile

Sample

mkdir /tmp/testsshkey && cd $_
ssh-keygen -b 1024 -f /tmp/testsshkey/key01
mv key01.pub other.pub
diff <(ssh-keygen -lvf key01) <(ssh-keygen -lvf other.pub )
1c1
< 1024 SHA256:7WuWSSOigkJ0UOPABdsrdkO3zYizPd3EfVpxb4XgeDk no comment (RSA)
---
> 1024 SHA256:7WuWSSOigkJ0UOPABdsrdkO3zYizPd3EfVpxb4XgeDk user@sondbox (RSA)

The only difference are in comments.

F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32
  • Perhaps I should've mentioned these are VPS instances I create. I ended-up generating private/public host key pairs locally then including those as `#cloud-config` data over a secure connection when creating the VPS instance. This way I know the host's public host key in advance. – tech-otaku Apr 11 '19 at 11:19
  • If you know your keys, you just need to compare output of `ssh-keygen -lvf` wich could be same on both private and public key. – F. Hauri - Give Up GitHub Apr 12 '19 at 09:55
0

Some more information would be good to understand your issue. Normally the server would us a certificate for authentication purposes. A third trusted party, called a Certificate Authority (CA) signs the certificate with it's own private key. Afterwards the certificate is ready to be verified by the client and authenticates the owner. When you trust the CA, you also trust the server.

m4rc0
  • 1
  • 1