Skip to content →

The SSH Warning Message

If you’ve ever used ssh to connect to another machine you have probably seen this message,

The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:aFTZXgxNm335loqR8XSR5IPbfDSsMNXqmWgRFOciRAo.
Are you sure you want to continue connecting (yes/no)?

and, if you are like me, you typed “yes” without really knowing what it means. Just let me get to the server!

What ssh is telling you is that the host, may not be who you think it is.

It also provides an ECDSA key fingerprint that you can be used to verify the host’s public encryption key (this could also be RSA or another encryption algorithm).

If you really want to be sure that you are connecting to you should take the fingerprint and compare it to the fingerprint of‘s public key. How can you get their public key? You can use some ssh tools!

# Use ssh-keyscan to get the public key information of
$ ssh-keyscan -t ecdsa > /tmp/

# Look at the contents of the file
$ cat /tmp/ ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAACBBP4Ddnxux3pigxg3IGnuizpnUI0nrUj8qJMU9pg4DMNLX3bs+qV240VuqXeNsP5L5Rq/56Av0304Uwa6VyYWHt8=

# The host, encryption method and public key are there

Once you have the host’s public key you can get the fingerprint and verify that it’s the same one that was shown in the original warning message.

# Generate the fingerprint of a public key
$ ssh-keygen -l -f /tmp/
256 SHA256:aFTZXgxNm335loqR8XSR5IPbfDSsMNXqmWgRFOciRAo (ECDSA)

Now that you have verified that the fingerprints are identical, you can feel more confident that the server you are connecting with has the same public key as the server you intended to connect with.

After you type “yes”, you see the following message.

Warning: Permanently added ',' (ECDSA) to the list of known hosts.

If you notice, next time you ssh into you will not be prompted with that warning message. This is because ssh adds the host to its “known hosts”, which is a simple file usually located at ~/.ssh/known_hosts.

$ cat ~/.ssh/known_hosts | grep, ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAACBBP4Ddnxux3pigxg3IGnuizpnUI0nrUj8qJMU9pg4DMNLX3bs+qV240VuqXeNsP5L5Rq/56Av0304Uwa6VyYWHt8=

There is a line in this file for, with the hostname, ip address, encryption info, and public key. Now that it is a “known_host”, ssh won’t ask you if you want to verify it’s fingerprint. The fingerprint will only change if the host’s public key changes, and if the public key changes, then the data in the known_hosts file will no longer be correct, resulting in another warning message.

Published in Today I Learned