Ubuntu – Where is the SSH Server Fingerprint generated/stored


I installed openssh-server and created a key with ssh-keygen. I then attempted to test it using local port forwarding by doing ssh -L 8080:www.nytimes.com:80 However, the key fingerprint that this command provides is not the key fingerprint I get when I do ssh-keygen -l. Even if I delete my .ssh directory, I still get the same fingerprint, which is not the one I created with ssh-keygen. Is there another key on my system? Where is this key? How can I select this key for use by openssh-server?

Best Answer

  • When you make a SSH session, two different key pairs (with a fingerprint for each pair) are involved. One is the user's key which is stored in ~/.ssh. The user's SSH key identity is sometimes used as credentials to login to another computer (if you have set up key based login).

    The other is the SSH server's key. This is the key you see the fingerprint for when you connect to a different server for the first time. This key's identity is used to make sure you are logging in to the SSH server you intend to. This is important if you are using passwords because you wouldn't want to accidentally try to login to an attackers machine: the attacker would get your password when you typed it in. Then the attacker could login to the machine you thought you were logging in to! (this is known as a "man in the middle attack") The keys a SSH server uses to identify itself when you login to it are located in /etc/ssh/ and usually named something like ssh_host_rsa_key.

    You can actually change where the SSH server looks for the key in the /etc/ssh/sshd_config file with the HostKey /path/to/host/key setting.

    By default, ssh-keygen will create a key for the current user, which, by default, will be stored in ~/.ssh. The format of a user key and a server key is the same; the difference is where they are placed and whether /etc/ssh/sshd_config has a HostKey directive pointing to them. When you install the openssh-server package, it automatically generates keys for the server to use. That is where the keys with the unknown fingerprint came from. If you want to see the fingerprint of the SSH server's (RSA*) key, you could run ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub.

    *There are different encryption algorithms. Each one uses a different key. Common ones are DSA (weak), RSA (old default), and ECDSA (new default).

  • Related Question