Understanding Fingerprints

Discussion in 'Mac Basics and Help' started by Texas_Toast, Feb 24, 2016.

  1. Texas_Toast macrumors 6502

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #1
    Been having a debate with some friends over how SSH fingerprints work, and am hoping someone can help me figure out the truth.

    First of all, how is a fingerprint created? One thing I read said it is a representation of the public key on the server, but I thought it was derived from the server's environment too.

    Secondly, I was told that the first time you use SSH, that the fingerprint is still on the server, so you will always get an error stating that the server's IP is unknown. Then after you blindly say "yes", that the fingerprint is transferred over SSH to you local computer and stored in a "known_hosts" file which is created at the time.

    I have some more questions, but guess I need to understand how the above two things work first.

    Thanks,


    Larry
     
  2. Texas_Toast thread starter macrumors 6502

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #2
    My OP may seem out of place, but one reason I posted here is because I have reason to believe OS-X Terminal has cached an old fingerprint which is not matching my server. I figured I should try to better understand how SSH and fingerprints work before blaming Terminal.
     
  3. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #3
    Yes, you have the right idea. The file in question is ~/.ssh/known_hosts. There is one host per line in the file. The first field is a command separate list of hosts associated with the key, the second field is the key type, the third field is the server's public key fingerprint. The first time you connect to a server, SSH remembers the key. The idea is after that if the key changes then something has gone 'wrong'. It could be that someone else is trying to trick you by getting you to connect to another server masquerading at the the one you thought you were connecting to. Another possibility is that the admin of the original server did something to change the server's key. The 'ssh' utility can't tell the difference, so it will complain. You have to decide what to do about it. Either remove the hosts previous key in your known_hosts file and use the new one or talk to the server's admin to figure out why the key changed.
     
  4. Texas_Toast thread starter macrumors 6502

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #4
    Is it correct that the fingerprint is created on the server?

    And is it correct that it is based on just the public key?
     
  5. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #5
    Yes, the fingerprint is based on the public key. The public/private key pair is generated on the server.
     

Share This Page