If you’ve ever used
ssh to connect to another machine you have probably seen this message,
The authenticity of host 'example.com (220.127.116.11)' can't be established. ECDSA key fingerprint is SHA256:aFTZXgxNm335loqR8XSR5IPbfDSsMNXqmWgRFOciRAo. Are you sure you want to continue connecting (yes/no)?
and, if you are like me, you typed “yes” without really knowing what it means. Just let me get to the server!
ssh is telling you is that the host
example.com, may not be who you think it is.
It also provides an ECDSA key fingerprint that you can be used to verify the host’s public encryption key (this could also be RSA or another encryption algorithm).
If you really want to be sure that you are connecting to
example.com you should take the fingerprint and compare it to the fingerprint of
example.com‘s public key. How can you get their public key? You can use some ssh tools!
# Use ssh-keyscan to get the public key information of example.com $ ssh-keyscan -t ecdsa example.com > /tmp/example.pub # Look at the contents of the file $ cat /tmp/example.pub 18.104.22.168 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAACBBP4Ddnxux3pigxg3IGnuizpnUI0nrUj8qJMU9pg4DMNLX3bs+qV240VuqXeNsP5L5Rq/56Av0304Uwa6VyYWHt8= # The host, encryption method and public key are there
Once you have the host’s public key you can get the fingerprint and verify that it’s the same one that was shown in the original warning message.
# Generate the fingerprint of a public key $ ssh-keygen -l -f /tmp/example.pub 256 SHA256:aFTZXgxNm335loqR8XSR5IPbfDSsMNXqmWgRFOciRAo example.com (ECDSA)
Now that you have verified that the fingerprints are identical, you can feel more confident that the server you are connecting with has the same public key as the server you intended to connect with.
After you type “yes”, you see the following message.
Warning: Permanently added 'example.com,22.214.171.124' (ECDSA) to the list of known hosts.
If you notice, next time you
example.com you will not be prompted with that warning message. This is because
ssh adds the host to its “known hosts”, which is a simple file usually located at
$ cat ~/.ssh/known_hosts | grep example.com example.com,126.96.36.199 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAACBBP4Ddnxux3pigxg3IGnuizpnUI0nrUj8qJMU9pg4DMNLX3bs+qV240VuqXeNsP5L5Rq/56Av0304Uwa6VyYWHt8=
There is a line in this file for
example.com, with the hostname, ip address, encryption info, and public key. Now that it is a “known_host”,
ssh won’t ask you if you want to verify it’s fingerprint. The fingerprint will only change if the host’s public key changes, and if the public key changes, then the data in the known_hosts file will no longer be correct, resulting in another warning message.