51

I looked in the man page for ssh, but I am still clueless. When you connect to the remote host using ssh it shows something like this:

ssh user@10.11.12.13
The authenticity of host '10.11.12.13 (10.11.12.13)' can't be established.
ECDSA key fingerprint is SHA256:CwrcHjdd9349u38rj392fr9j389rj3298rj23.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

As I understand:

  • Yes - connect and write the fingerprint in the known hosts file
  • No - do not connect (it shows "Host key verification failed.")

What is that 3rd option [fingerprint]?

Maris B.
  • 1,303
  • 4
  • 14
  • 22
  • 2
    It's not really relevant to your question, but if you answer "yes", what gets added to the known hosts file is the host's public key, not the fingerprint. – David Z Jul 03 '21 at 00:06
  • Yes. The known_hosts file contains public keys. Thanks for noticing! – Maris B. Jul 04 '21 at 07:49
  • Related: [What is a SSH key fingerprint and how is it generated?](https://superuser.com/q/421997/87805) – kenorb Jun 19 '23 at 11:38

2 Answers2

84

This prompt allows you to paste the actual fingerprint as a response; ssh itself will compare it against the public key seen over the network. If both match, the answer is assumed to be yes.

(Of course, you're supposed to copy the fingerprint from a reasonably trusted source – not from the same confirmation message!)

In addition to being faster than manual comparison, this avoids "fuzzy fingerprint" attacks where the fake host­key has a fingerprint that is visually similar to the real one (as people often look only at the first and last few letters and skip the rest).

This feature was added in OpenSSH 8.0.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Fine, but how in the heck do you format it? I had the computer owner run "ssh-keygen -lf /etc/ssh/ssh_host_rsa_key" and send me the output through a trusted channel, but every combination just returns "Please type 'yes', 'no' or the fingerprint:" – ebarrere Jun 01 '23 at 16:54
  • For the record, this "helpful" response occurs if you simply put a key that doesn't match... – ebarrere Jun 01 '23 at 17:04
0

To expand on @user1686's answer, at least for my ssh client (OpenSSH_9.0p1, LibreSSL 3.3.6 on Mac) the behavior when typing an incorrect key is confounding. Rather than presenting a message like "Keys don't match, exiting!" it just responds with "Please type 'yes', 'no' or the fingerprint:", leaving you to wonder if you have the right format...

It does accept the correct fingerprint, when entered as "{HASH_TYPE}:{HASH_FINGERPRINT}", e.g. SHA256:6IwH4s6MTcIsiC6vol79ODXqdFH1E3/qp/fQVj4jZ5q AND for the correct key type, negotiated earlier in the connection process.

Make sure you are checking the right key if the host has multiple types!

ebarrere
  • 141
  • 3