4

I have Linux server running sshd.

How to provide hostkey from the Linux server to plink.exe on Windows?

e.g.: for running plink.exe -ssh -batch -m plink.tmp -hostkey ...

Jeter-work
  • 825
  • 4
  • 15
cnd
  • 125
  • 1
  • 9
  • 1
    have you tried using PuttyGen? – djv Dec 14 '18 at 13:18
  • Both answers below (Gerald Schneider and bodgit) should provide the same host key fingerprint. If you have access to both systems, you should try both methods and confirm. Else, use the windows based solution from your Windows box. – Jeter-work Dec 20 '18 at 19:48

2 Answers2

6

You can use plink itself to get the host key:

c:\> plink -v -batch host
Connecting to 1.2.3.4 port 22
We claim version: SSH-2.0-PuTTY_Release_0.68
Server version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them
Host key fingerprint is:
ssh-rsa 2048 c6:e7:49:ec:07:5b:30:02:d9:57:dd:7f:39:e3:f3:35
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Disconnected: Unable to authenticate

The parameter -v (verbose) is needed for the additional information, -batch makes sure plink exits directly without a login (as long as username and password are not provided as well).

In the output you find Host key fingerprint is:, followed by the fingerprint in a hexadecimal format, in this case:

c6:e7:49:ec:07:5b:30:02:d9:57:dd:7f:39:e3:f3:35

This is the string you have to provide to plink -hostkey to confirm that the target host is actually the host it claims to be.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • 3
    Of course, if you don't yet trust the host, connecting to it to retrieve it's fingerprint to then trust it sort of defeats the point of the check. – bodgit Dec 19 '18 at 11:47
  • 1
    If you do it at the time of connecting to it, yes. But at one point you have to get the correct fingerprint. If you do it directly after setting up the target server and store the host key in a script that is supposed to be run later or regularly I don't see a problem. – Gerald Schneider Dec 19 '18 at 12:31
5

You can get the fingerprint of the key from the target host itself by running:

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /etc/ssh/ssh_host_rsa_key.pub (RSA)

Later versions of ssh-keygen default to SHA-256 so you can get the original MD5 behaviour with:

$ ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub
2048 MD5:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /etc/ssh/ssh_host_rsa_key.pub (RSA)

Just strip off the MD5: prefix. Adjust the path to the key based on the value of your HostKey directives in /etc/ssh/sshd_config.

bodgit
  • 4,661
  • 13
  • 26