version 1.273, 2008/02/11 07:58:28 |
version 1.274, 2008/06/13 20:13:26 |
|
|
.Pp |
.Pp |
.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key |
.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key |
.Pp |
.Pp |
If the fingerprint is already known, |
If the fingerprint is already known, it can be matched |
it can be matched and verified, |
and the key can be accepted or rejected. |
and the key can be accepted. |
Because of the difficulty of comparing host keys |
|
just by looking at hex strings, |
|
there is also support to compare host keys visually, |
|
using |
|
.Em random art . |
|
By setting the |
|
.Cm CheckHostIP |
|
option to |
|
.Dq fingerprint , |
|
a small ASCII graphic gets displayed on every login to a server, no matter |
|
if the session itself is interactive or not. |
|
By learning the pattern a known server produces, a user can easily |
|
find out that the host key has changed when a completely different pattern |
|
is displayed. |
|
Because these patterns are not unambiguous however, a pattern that looks |
|
similar to the pattern remembered only gives a good probability that the |
|
host key is the same, not guaranteed proof. |
|
.Pp |
|
To get a listing of the fingerprints along with their random art for |
|
all known hosts, the following command line can be used: |
|
.Pp |
|
.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts |
|
.Pp |
If the fingerprint is unknown, |
If the fingerprint is unknown, |
an alternative method of verification is available: |
an alternative method of verification is available: |
SSH fingerprints verified by DNS. |
SSH fingerprints verified by DNS. |
|
|
.%R RFC 4716 |
.%R RFC 4716 |
.%T "The Secure Shell (SSH) Public Key File Format" |
.%T "The Secure Shell (SSH) Public Key File Format" |
.%D 2006 |
.%D 2006 |
|
.Re |
|
.Rs |
|
.%T "Hash Visualization: a New Technique to improve Real-World Security" |
|
.%A A. Perrig |
|
.%A D. Song |
|
.%D 1999 |
|
.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" |
.Re |
.Re |
.Sh AUTHORS |
.Sh AUTHORS |
OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |