I know this is an old question, but I ran across this exact same problem today, and the OP's spot-on with the TOFU anti-security model, so here's what I used to avert the risk of MITM.
Normally, as the question implies, there really isn't a way to verify keys without somehow talking to the server admins. However...
...if you do have access to the server, you can display the fingerprint of an SSH key by running ssh-keygen -lf
on either the public or the private key...
...and fortunately, at present DigitalOcean provides a web-based console to log directly into a droplet, thus giving you access to the server in question. To get to the console:
- Head to your Account Dashboard.
- In the sidebar, under the "Manage" heading, select "Droplets."
- Select the droplet for which you want to verify the fingerprint.
- It will probably bring up the "Graphs" subsection by default, but you'll want to select the "Access" subsection.
- From there you should see options to "Launch Console" or "Reset Root Password."
Now, since the DigitalOcean console expects you to log in as root, you'll need a root password. So if, like me, you chose to use the more secure SSH authentication when initially setting up the droplet, you can spare yourself some frustration and start by selecting "Reset Root Password." Once DigitalOcean sends you the new root password, proceed as follows:
- Select "Launch Console." To log in, the username is
root
, and the password is what you set (or the reset code DigitalOcean sent you). Tip: the console does accept copy-pasting, which is useful for password reset codes. Also, for a reset you'll immediately be asked to confirm the reset code and select a new password, so be prepared for that.
- Once you're in,
cd
to wherever your droplet's OS would store system-level SSH keys (for me, on an Ubuntu 18.04, it was under /etc/ssh
; I used the method found in this answer).
- From there, run the following bash script (or similar for your OS's shell) to see all the fingerprints of all the keys:
for file in *; do ssh-keygen -lf $file; done;
(I did this as a 1-liner, punctuated as shown, and it worked for me; no clue if it's idiomatic bash-script. If it encounters non-key or password-protected private-key files, it'll note the fact and pass them by harmlessly. It was lifted with slight modifications from this helpful site)
- Compare the output shown with the original SSH authenticity challenge. If it doesn't match, you know there's a risk of Man in the Middle, and should not accept the key.
If anyone knows of an easier way, e.g. getting fingerprint info via DigitalOcean correspondence or some hidden part of the Dashboard, feel free to post another answer, and I'll gladly upvote it.