OpenSSH on Ubuntu 16.04 shows ECDSA keys in an unusual format
I'm trying to SSH to my server, and the client is asking about the authenticity of the host.
ECDSA key fingerprint is SHA256:bla bla bla
With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like
a7:3h:75:5d:si:9v:3g...
On Ubuntu 16.04 they're being shown like
c2ymd4uGIG3y34R78BcrykBVT...
I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub
. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g...
. Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.
How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen
, though I can't figure out what version I have, or what others have.
ssh openssh
add a comment |
I'm trying to SSH to my server, and the client is asking about the authenticity of the host.
ECDSA key fingerprint is SHA256:bla bla bla
With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like
a7:3h:75:5d:si:9v:3g...
On Ubuntu 16.04 they're being shown like
c2ymd4uGIG3y34R78BcrykBVT...
I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub
. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g...
. Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.
How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen
, though I can't figure out what version I have, or what others have.
ssh openssh
add a comment |
I'm trying to SSH to my server, and the client is asking about the authenticity of the host.
ECDSA key fingerprint is SHA256:bla bla bla
With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like
a7:3h:75:5d:si:9v:3g...
On Ubuntu 16.04 they're being shown like
c2ymd4uGIG3y34R78BcrykBVT...
I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub
. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g...
. Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.
How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen
, though I can't figure out what version I have, or what others have.
ssh openssh
I'm trying to SSH to my server, and the client is asking about the authenticity of the host.
ECDSA key fingerprint is SHA256:bla bla bla
With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like
a7:3h:75:5d:si:9v:3g...
On Ubuntu 16.04 they're being shown like
c2ymd4uGIG3y34R78BcrykBVT...
I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub
. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g...
. Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.
How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen
, though I can't figure out what version I have, or what others have.
ssh openssh
ssh openssh
edited Jun 28 '16 at 12:49
Jakuje
5,22471831
5,22471831
asked Jun 28 '16 at 6:52
NateowamiNateowami
8802927
8802927
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You can use ssh -o FingerprintHash=md5 user@host
to use old-school MD5 hashes, or store this in your ~/.ssh/config
:
FingerprintHash md5
You server is probably using old openssh version which does not support new sha256 hashses.
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doingdist-upgrade
). In the commandssh -O FingerprintHash=md5 host
, byhost
do you meanuser@host
? Otherwise I'm missing something. And I just addedFingerprintHash md5
to the config file, restarted SSH, and it worked fine.
– Nateowami
Jun 28 '16 at 12:28
If you connect to the host withssh user@host
, then yes.
– Jakuje
Jun 28 '16 at 12:33
Forssh-copy-id
it's-o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
– Nateowami
Aug 30 '16 at 7:50
Yes, it is lowercase for bothssh
andssh-copy-id
. Sorry, it was a typo.
– Jakuje
Aug 30 '16 at 7:52
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
add a comment |
While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.
To find a host's fingerprint, on that host execute:
# Works with the version of OpenSSH on 16.04 but not 14.04
# (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
# Check your version with with `ssh -V`
cd /etc/ssh
ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub
Of course, you can change md5
to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub
depending on the key type you're using (e.g. ssh_host_rsa_key.pub
).
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f792185%2fopenssh-on-ubuntu-16-04-shows-ecdsa-keys-in-an-unusual-format%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use ssh -o FingerprintHash=md5 user@host
to use old-school MD5 hashes, or store this in your ~/.ssh/config
:
FingerprintHash md5
You server is probably using old openssh version which does not support new sha256 hashses.
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doingdist-upgrade
). In the commandssh -O FingerprintHash=md5 host
, byhost
do you meanuser@host
? Otherwise I'm missing something. And I just addedFingerprintHash md5
to the config file, restarted SSH, and it worked fine.
– Nateowami
Jun 28 '16 at 12:28
If you connect to the host withssh user@host
, then yes.
– Jakuje
Jun 28 '16 at 12:33
Forssh-copy-id
it's-o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
– Nateowami
Aug 30 '16 at 7:50
Yes, it is lowercase for bothssh
andssh-copy-id
. Sorry, it was a typo.
– Jakuje
Aug 30 '16 at 7:52
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
add a comment |
You can use ssh -o FingerprintHash=md5 user@host
to use old-school MD5 hashes, or store this in your ~/.ssh/config
:
FingerprintHash md5
You server is probably using old openssh version which does not support new sha256 hashses.
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doingdist-upgrade
). In the commandssh -O FingerprintHash=md5 host
, byhost
do you meanuser@host
? Otherwise I'm missing something. And I just addedFingerprintHash md5
to the config file, restarted SSH, and it worked fine.
– Nateowami
Jun 28 '16 at 12:28
If you connect to the host withssh user@host
, then yes.
– Jakuje
Jun 28 '16 at 12:33
Forssh-copy-id
it's-o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
– Nateowami
Aug 30 '16 at 7:50
Yes, it is lowercase for bothssh
andssh-copy-id
. Sorry, it was a typo.
– Jakuje
Aug 30 '16 at 7:52
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
add a comment |
You can use ssh -o FingerprintHash=md5 user@host
to use old-school MD5 hashes, or store this in your ~/.ssh/config
:
FingerprintHash md5
You server is probably using old openssh version which does not support new sha256 hashses.
You can use ssh -o FingerprintHash=md5 user@host
to use old-school MD5 hashes, or store this in your ~/.ssh/config
:
FingerprintHash md5
You server is probably using old openssh version which does not support new sha256 hashses.
edited Aug 30 '16 at 7:51
answered Jun 28 '16 at 12:04
JakujeJakuje
5,22471831
5,22471831
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doingdist-upgrade
). In the commandssh -O FingerprintHash=md5 host
, byhost
do you meanuser@host
? Otherwise I'm missing something. And I just addedFingerprintHash md5
to the config file, restarted SSH, and it worked fine.
– Nateowami
Jun 28 '16 at 12:28
If you connect to the host withssh user@host
, then yes.
– Jakuje
Jun 28 '16 at 12:33
Forssh-copy-id
it's-o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
– Nateowami
Aug 30 '16 at 7:50
Yes, it is lowercase for bothssh
andssh-copy-id
. Sorry, it was a typo.
– Jakuje
Aug 30 '16 at 7:52
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
add a comment |
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doingdist-upgrade
). In the commandssh -O FingerprintHash=md5 host
, byhost
do you meanuser@host
? Otherwise I'm missing something. And I just addedFingerprintHash md5
to the config file, restarted SSH, and it worked fine.
– Nateowami
Jun 28 '16 at 12:28
If you connect to the host withssh user@host
, then yes.
– Jakuje
Jun 28 '16 at 12:33
Forssh-copy-id
it's-o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
– Nateowami
Aug 30 '16 at 7:50
Yes, it is lowercase for bothssh
andssh-copy-id
. Sorry, it was a typo.
– Jakuje
Aug 30 '16 at 7:52
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing
dist-upgrade
). In the command ssh -O FingerprintHash=md5 host
, by host
do you mean user@host
? Otherwise I'm missing something. And I just added FingerprintHash md5
to the config file, restarted SSH, and it worked fine.– Nateowami
Jun 28 '16 at 12:28
Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing
dist-upgrade
). In the command ssh -O FingerprintHash=md5 host
, by host
do you mean user@host
? Otherwise I'm missing something. And I just added FingerprintHash md5
to the config file, restarted SSH, and it worked fine.– Nateowami
Jun 28 '16 at 12:28
If you connect to the host with
ssh user@host
, then yes.– Jakuje
Jun 28 '16 at 12:33
If you connect to the host with
ssh user@host
, then yes.– Jakuje
Jun 28 '16 at 12:33
For
ssh-copy-id
it's -o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.– Nateowami
Aug 30 '16 at 7:50
For
ssh-copy-id
it's -o
(lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.– Nateowami
Aug 30 '16 at 7:50
Yes, it is lowercase for both
ssh
and ssh-copy-id
. Sorry, it was a typo.– Jakuje
Aug 30 '16 at 7:52
Yes, it is lowercase for both
ssh
and ssh-copy-id
. Sorry, it was a typo.– Jakuje
Aug 30 '16 at 7:52
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
I suspected, but didn't want to jump to conclusions. :)
– Nateowami
Aug 30 '16 at 7:55
add a comment |
While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.
To find a host's fingerprint, on that host execute:
# Works with the version of OpenSSH on 16.04 but not 14.04
# (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
# Check your version with with `ssh -V`
cd /etc/ssh
ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub
Of course, you can change md5
to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub
depending on the key type you're using (e.g. ssh_host_rsa_key.pub
).
add a comment |
While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.
To find a host's fingerprint, on that host execute:
# Works with the version of OpenSSH on 16.04 but not 14.04
# (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
# Check your version with with `ssh -V`
cd /etc/ssh
ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub
Of course, you can change md5
to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub
depending on the key type you're using (e.g. ssh_host_rsa_key.pub
).
add a comment |
While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.
To find a host's fingerprint, on that host execute:
# Works with the version of OpenSSH on 16.04 but not 14.04
# (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
# Check your version with with `ssh -V`
cd /etc/ssh
ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub
Of course, you can change md5
to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub
depending on the key type you're using (e.g. ssh_host_rsa_key.pub
).
While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.
To find a host's fingerprint, on that host execute:
# Works with the version of OpenSSH on 16.04 but not 14.04
# (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
# Check your version with with `ssh -V`
cd /etc/ssh
ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub
Of course, you can change md5
to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub
depending on the key type you're using (e.g. ssh_host_rsa_key.pub
).
edited Dec 20 '18 at 2:24
answered Sep 26 '16 at 10:48
NateowamiNateowami
8802927
8802927
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f792185%2fopenssh-on-ubuntu-16-04-shows-ecdsa-keys-in-an-unusual-format%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown