Thomas' Tech Tips

How to verify SSH host key fingerprint

13 September 2022 - Thomas Damgaard

The first time you connect to an SSH server, you are prompted with something like this:

$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:KjlF1ap7Z1+UFKMGdV6q+Ivi8JzsUFFI6ycSLeOpHYE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

Do NOT just type yes. You need to actually verify that the host key fingerprint is indeed the correct one. Otherwise, someone may be intercepting your connection.

If you have access to the remote server by some other secure channel (e.g. physical access), you type in this command to get the server’s host key fingerprint:

$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 SHA256:KjlF1ap7Z1+UFKMGdV6q+Ivi8JzsUFFI6ycSLeOpHYE root@debian (ECDSA)

(replace the path to the key file to the keyfile that your server actually uses)

Now copy this fingerprint and check if it match the one you are prompted to accept. Only if it matches should you accept the connection.

If you do not have a secure channel to the server already (e.g. if the remote server is someone else’s) you should ask the remote host admin for the host key fingerprint.

Filed under: howto, security, ssh, tips