How to verify SHA256 ssh fingerprint

When you see something like this when you try to login to your server you probably want to be sure there is no Man in the middle attach.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:7KMZvJiI5AeC5As2GSZES5baxTZ+HbOyqjNPVy1NIe4.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:20
  remove with:
  ssh-keygen -f "/home/user/.ssh/known_hosts" -R [example.org]:2548
RSA host key for [example.org]:2548 has changed and you have requested strict checking.
Host key verification failed.
The authenticity of host 'example.org (192.0.0.42)' can't be established.
RSA key fingerprint is SHA256:7KMZvJiI5AeC5As2GSZES5baxTZ+HbOyqjNPVy1NIe4.
Are you sure you want to continue connecting (yes/no)?

Here is how you can get the SHA256 fingerprint of the key on your server:

$ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64
7KMZvJiI5AeC5As2GSZES5baxTZ+HbOyqjNPVy1NIe4=
$

In this example the string "7KMZvJiI5AeC5As2GSZES5baxTZ+HbOyqjNPVy1NIe4" is the same.

Comments

Popular posts from this blog

Do not use (only) flash memory (SSD drives, hardware wallets, USB flash drives) for your precious private keys!

Archiving private keys - TLDR version

[ad removed]