OpenSSH on Ubuntu 16.04 shows ECDSA keys in an unusual format












2














I'm trying to SSH to my server, and the client is asking about the authenticity of the host.



ECDSA key fingerprint is SHA256:bla bla bla


With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like



a7:3h:75:5d:si:9v:3g...


On Ubuntu 16.04 they're being shown like



c2ymd4uGIG3y34R78BcrykBVT...


I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g.... Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.



How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen, though I can't figure out what version I have, or what others have.










share|improve this question





























    2














    I'm trying to SSH to my server, and the client is asking about the authenticity of the host.



    ECDSA key fingerprint is SHA256:bla bla bla


    With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like



    a7:3h:75:5d:si:9v:3g...


    On Ubuntu 16.04 they're being shown like



    c2ymd4uGIG3y34R78BcrykBVT...


    I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g.... Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.



    How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen, though I can't figure out what version I have, or what others have.










    share|improve this question



























      2












      2








      2







      I'm trying to SSH to my server, and the client is asking about the authenticity of the host.



      ECDSA key fingerprint is SHA256:bla bla bla


      With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like



      a7:3h:75:5d:si:9v:3g...


      On Ubuntu 16.04 they're being shown like



      c2ymd4uGIG3y34R78BcrykBVT...


      I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g.... Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.



      How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen, though I can't figure out what version I have, or what others have.










      share|improve this question















      I'm trying to SSH to my server, and the client is asking about the authenticity of the host.



      ECDSA key fingerprint is SHA256:bla bla bla


      With every version of OpenSSH I've used, ECDSA (or RSA) keys were shown something like



      a7:3h:75:5d:si:9v:3g...


      On Ubuntu 16.04 they're being shown like



      c2ymd4uGIG3y34R78BcrykBVT...


      I have another way to access the server, and I'm trying to verify the fingerprint by running ssh-keygen -lf ssh_host_ecdsa_key.pub. But this outputs something like 2048 a7:3h:75:5d:si:9v:3g.... Even ignoring the colons, they don't match. I can't be 100% positive this isn't because of a MITM attack, but it's highly unlikely.



      How can I verify the key signatures? All the solutions I've found seem to deal with a different version of ssh-keygen, though I can't figure out what version I have, or what others have.







      ssh openssh






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jun 28 '16 at 12:49









      Jakuje

      5,22471831




      5,22471831










      asked Jun 28 '16 at 6:52









      NateowamiNateowami

      8802927




      8802927






















          2 Answers
          2






          active

          oldest

          votes


















          3














          You can use ssh -o FingerprintHash=md5 user@host to use old-school MD5 hashes, or store this in your ~/.ssh/config:



          FingerprintHash md5


          You server is probably using old openssh version which does not support new sha256 hashses.






          share|improve this answer























          • Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
            – Nateowami
            Jun 28 '16 at 12:28










          • If you connect to the host with ssh user@host, then yes.
            – Jakuje
            Jun 28 '16 at 12:33










          • For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
            – Nateowami
            Aug 30 '16 at 7:50










          • Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
            – Jakuje
            Aug 30 '16 at 7:52










          • I suspected, but didn't want to jump to conclusions. :)
            – Nateowami
            Aug 30 '16 at 7:55



















          1














          While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.



          To find a host's fingerprint, on that host execute:



          # Works with the version of OpenSSH on 16.04 but not 14.04
          # (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
          # Check your version with with `ssh -V`
          cd /etc/ssh
          ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub


          Of course, you can change md5 to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub depending on the key type you're using (e.g. ssh_host_rsa_key.pub).






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f792185%2fopenssh-on-ubuntu-16-04-shows-ecdsa-keys-in-an-unusual-format%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            You can use ssh -o FingerprintHash=md5 user@host to use old-school MD5 hashes, or store this in your ~/.ssh/config:



            FingerprintHash md5


            You server is probably using old openssh version which does not support new sha256 hashses.






            share|improve this answer























            • Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
              – Nateowami
              Jun 28 '16 at 12:28










            • If you connect to the host with ssh user@host, then yes.
              – Jakuje
              Jun 28 '16 at 12:33










            • For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
              – Nateowami
              Aug 30 '16 at 7:50










            • Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
              – Jakuje
              Aug 30 '16 at 7:52










            • I suspected, but didn't want to jump to conclusions. :)
              – Nateowami
              Aug 30 '16 at 7:55
















            3














            You can use ssh -o FingerprintHash=md5 user@host to use old-school MD5 hashes, or store this in your ~/.ssh/config:



            FingerprintHash md5


            You server is probably using old openssh version which does not support new sha256 hashses.






            share|improve this answer























            • Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
              – Nateowami
              Jun 28 '16 at 12:28










            • If you connect to the host with ssh user@host, then yes.
              – Jakuje
              Jun 28 '16 at 12:33










            • For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
              – Nateowami
              Aug 30 '16 at 7:50










            • Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
              – Jakuje
              Aug 30 '16 at 7:52










            • I suspected, but didn't want to jump to conclusions. :)
              – Nateowami
              Aug 30 '16 at 7:55














            3












            3








            3






            You can use ssh -o FingerprintHash=md5 user@host to use old-school MD5 hashes, or store this in your ~/.ssh/config:



            FingerprintHash md5


            You server is probably using old openssh version which does not support new sha256 hashses.






            share|improve this answer














            You can use ssh -o FingerprintHash=md5 user@host to use old-school MD5 hashes, or store this in your ~/.ssh/config:



            FingerprintHash md5


            You server is probably using old openssh version which does not support new sha256 hashses.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Aug 30 '16 at 7:51

























            answered Jun 28 '16 at 12:04









            JakujeJakuje

            5,22471831




            5,22471831












            • Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
              – Nateowami
              Jun 28 '16 at 12:28










            • If you connect to the host with ssh user@host, then yes.
              – Jakuje
              Jun 28 '16 at 12:33










            • For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
              – Nateowami
              Aug 30 '16 at 7:50










            • Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
              – Jakuje
              Aug 30 '16 at 7:52










            • I suspected, but didn't want to jump to conclusions. :)
              – Nateowami
              Aug 30 '16 at 7:55


















            • Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
              – Nateowami
              Jun 28 '16 at 12:28










            • If you connect to the host with ssh user@host, then yes.
              – Jakuje
              Jun 28 '16 at 12:33










            • For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
              – Nateowami
              Aug 30 '16 at 7:50










            • Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
              – Jakuje
              Aug 30 '16 at 7:52










            • I suspected, but didn't want to jump to conclusions. :)
              – Nateowami
              Aug 30 '16 at 7:55
















            Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
            – Nateowami
            Jun 28 '16 at 12:28




            Server is 14.04. From what I had read any server using MD5 for SSH key fingerprints must be quite old and not updated, so I thought that must not be it (I think I haven't been doing dist-upgrade). In the command ssh -O FingerprintHash=md5 host, by host do you mean user@host? Otherwise I'm missing something. And I just added FingerprintHash md5 to the config file, restarted SSH, and it worked fine.
            – Nateowami
            Jun 28 '16 at 12:28












            If you connect to the host with ssh user@host, then yes.
            – Jakuje
            Jun 28 '16 at 12:33




            If you connect to the host with ssh user@host, then yes.
            – Jakuje
            Jun 28 '16 at 12:33












            For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
            – Nateowami
            Aug 30 '16 at 7:50




            For ssh-copy-id it's -o (lowercase). Perhaps OpenSSH uses the lowercase for this option, in its family of programs? I don't know of every OpenSSH command, but I'm guessing they're consistent.
            – Nateowami
            Aug 30 '16 at 7:50












            Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
            – Jakuje
            Aug 30 '16 at 7:52




            Yes, it is lowercase for both ssh and ssh-copy-id. Sorry, it was a typo.
            – Jakuje
            Aug 30 '16 at 7:52












            I suspected, but didn't want to jump to conclusions. :)
            – Nateowami
            Aug 30 '16 at 7:55




            I suspected, but didn't want to jump to conclusions. :)
            – Nateowami
            Aug 30 '16 at 7:55













            1














            While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.



            To find a host's fingerprint, on that host execute:



            # Works with the version of OpenSSH on 16.04 but not 14.04
            # (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
            # Check your version with with `ssh -V`
            cd /etc/ssh
            ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub


            Of course, you can change md5 to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub depending on the key type you're using (e.g. ssh_host_rsa_key.pub).






            share|improve this answer




























              1














              While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.



              To find a host's fingerprint, on that host execute:



              # Works with the version of OpenSSH on 16.04 but not 14.04
              # (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
              # Check your version with with `ssh -V`
              cd /etc/ssh
              ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub


              Of course, you can change md5 to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub depending on the key type you're using (e.g. ssh_host_rsa_key.pub).






              share|improve this answer


























                1












                1








                1






                While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.



                To find a host's fingerprint, on that host execute:



                # Works with the version of OpenSSH on 16.04 but not 14.04
                # (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
                # Check your version with with `ssh -V`
                cd /etc/ssh
                ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub


                Of course, you can change md5 to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub depending on the key type you're using (e.g. ssh_host_rsa_key.pub).






                share|improve this answer














                While the accepted answer solves the problem of forcing newer clients to show MD5 hashes, it doesn't specifically solve the problem of forcing a server to show its fingerprint with a specific hash function when calculating fingerprints on the server. To clarify that a bit, when checking fingerprints, you need to match the one shown on the client to the true value on the server. @Jakuje's answer deals with getting the client to use a different hash function, this answer deals with getting the server to show you the hash using a different hash function. It doesn't matter whether you change the server or the client's hash function, just so they're the same.



                To find a host's fingerprint, on that host execute:



                # Works with the version of OpenSSH on 16.04 but not 14.04
                # (on 14.04 I have OpenSSH_6.6.1p1; on 16.04 it's OpenSSH_7.2p2)
                # Check your version with with `ssh -V`
                cd /etc/ssh
                ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub


                Of course, you can change md5 to any supported hash function, and you may need to change ssh_host_ecdsa_key.pub depending on the key type you're using (e.g. ssh_host_rsa_key.pub).







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Dec 20 '18 at 2:24

























                answered Sep 26 '16 at 10:48









                NateowamiNateowami

                8802927




                8802927






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f792185%2fopenssh-on-ubuntu-16-04-shows-ecdsa-keys-in-an-unusual-format%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Ellipse (mathématiques)

                    Quarter-circle Tiles

                    Mont Emei