Wednesday 20 May 2015

Get the SSH fingerprint of an SSH server

If you've ever tried to connected to a new server over SSH, you would've seen a message similar to the following:

# ssh iridium The authenticity of host '[foo]' can't be established. RSA key fingerprint is a2:b9:c5:d3:e5:fc:a6:b3:c7:da:e1:f0:ac:b9:c9:d5. Are you sure you want to continue connecting (yes/no)?

Then you may have wondered, "Well, what *is* the fingerprint of my server supposed to be?". Basically, in order to do the authentication of the host, you should run the command below (at SSH server install time, or over a "secure" channel) in order to get your hosts SSH fingerprint:

# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 a2:b9:c5:d3:e5:fc:a6:b3:c7:da:e1:f0:ac:b9:c9:d5 root@foo (RSA)

You should then be able to compare the two fingerprints to determine whether the server you're connecting to is in fact the one you're trying to connect to and isn't some sort of honeypot.

Command to delete a particular host from known_hosts

Occasionally (especially in the cloud world, where instances are cattle), the SSH fingerprint for a host changes. When this happens, you will see a warning.
If the warning is expected, the usual remedy is to delete the offending key from your "known_hosts" file (typically found under ~/.ssh/known_hosts). However, when you need to do this across a bunch of machines and you don't know what line number the host will be on, on each machine, the following command might be useful:

sed -i -e '/\[webserver-03.example.com\]:2222/d' ~/.ssh/known_hosts

It deletes any line which matches the host "[webserver-03.example.com]:2222" in the default "known_hosts" file.