Table of Contents
Introduction
When a public key is received over an untrusted channel, such as the Internet, the recipient often wishes to authenticate the public key. Fingerprints can help accomplish this, since their small size allows them to be passed over trusted channels where public keys won't easily fit. For more details, please refer the wiki.
What is Public Key Finger Print?
- Shorter Form of Public Key
- A hash algorithm will be applied to the Public Key which produces the finger print
- Some of the hash algorithm are MD5, SHA-1.
- It is represented in the form of hexa-decimals separated by the colon
Why Public Key Finger Print is required?
- During connection negotiation between SSH Client and Server, Server will send its public key to the client to establish tunnel
- There could be a DNS attack where different server might connected instead of the actual server
- This can be avoided be verifying/validating the server's public key which is received during connection negotiation
- For the verification, the server's public key should be available before establishing the connection
- So, in offline, the public key of the server should be exchanged to the client in the form of finger print
- During connection negotiation, when the server's public key is received, the finger print will calculated and it will be validated against the corresponding actual finger print
Calculating Public Key Finger Print
- Login to the SSH Server
# ssh username@hostname
- Execute the below command to get the server finger print
# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 1024 56:45:40:67:e3:a1:72:4f:43:59:f7:23:3f:1c:d8:5f /etc/ssh/ssh_host_rsa_key.pub
- The output contains the following sections
- Key Length
- Server's Public Key Finger Print
- Key File
- The middle string represents the Server's Public Key Finger Print. In this example it is 56:45:40:67:e3:a1:72:4f:43:59:f7:23:3f:1c:d8:5f
- Example:
