src/usr.bin/ssh/ssh.1 - diff

Return to ssh.1 CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh.1 between version 1.273 and 1.274

-version 1.273, 2008/02/11 07:58:28
+version 1.274, 2008/06/13 20:13:26
 Line 1027
 Line 1027
 Line 1027
  .Pp
  .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
  .Pp
- If the fingerprint is already known,
+ If the fingerprint is already known, it can be matched
- it can be matched and verified,
+ and the key can be accepted or rejected.
- and the key can be accepted.
+ Because of the difficulty of comparing host keys
+ just by looking at hex strings,
+ there is also support to compare host keys visually,
+ using
+ .Em random art .
+ By setting the
+ .Cm CheckHostIP
+ option to
+ .Dq fingerprint ,
+ a small ASCII graphic gets displayed on every login to a server, no matter
+ if the session itself is interactive or not.
+ By learning the pattern a known server produces, a user can easily
+ find out that the host key has changed when a completely different pattern
+ is displayed.
+ Because these patterns are not unambiguous however, a pattern that looks
+ similar to the pattern remembered only gives a good probability that the
+ host key is the same, not guaranteed proof.
+ .Pp
+ To get a listing of the fingerprints along with their random art for
+ all known hosts, the following command line can be used:
+ .Pp
+ .Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
+ .Pp
  If the fingerprint is unknown,
  an alternative method of verification is available:
  SSH fingerprints verified by DNS.
-Line 1432
+Line 1454
 Line 1432
 Line 1454
  .%R RFC 4716
  .%T "The Secure Shell (SSH) Public Key File Format"
  .%D 2006
+ .Re
+ .Rs
+ .%T "Hash Visualization: a New Technique to improve Real-World Security"
+ .%A A. Perrig
+ .%A D. Song
+ .%D 1999
+ .%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
  .Re
  .Sh AUTHORS
  OpenSSH is a derivative of the original and free